Does Your Computer Have a Virus? : Experts Debate Whether Electronic Attacks Are Urban Mythology or Threat to Security

The computer virus.

It’s not the latest version of the Asian flu or something you can catch from your keyboard.

Instead, it’s a parasitic program that can damage your data.

By some accounts, computer viruses are insidious destroyers that act much like biological viruses, invading home and business computers and crippling data networks before the victim even knows it’s there. At the very least, this view goes, they are a threat to every American with a PC; at worst they are a potential danger to national security.

By other accounts, computer viruses are just another urban legend, a relatively rare phenomenon blown far out of proportion by alarmists and by society’s deeply ingrained mistrust of technology. “Every two years, we go through this period of virus hysteria,” counsels Don Watkins of Petaluma, Calif., who is director for CompuServe IBM Net, an international network for IBM computer users. “We seem to get all wrapped up and concerned about this.”

Still, concern about the viruses is rising worldwide. More documented cases of viral “attacks” on computer systems came to light last year than at any time since viruses were first identified at USC in 1983. In March, leading computer security experts from around the world will meet in Paris to discuss the problem at a private conference known as “Securicom ’88.”

A Significant Threat?

But where the experts part company is over the question of how widespread computer viruses are and whether they threaten the worldwide computer networks or even the average PC user who balances his checkbook on an Apple Mac.

“I personally view it as like walking across the street,” Watkins said. “Certainly, you don’t walk across the street without looking for a car, but you also don’t spend the rest of your life worrying about crossing the street, either.”

But Fred Cohen, the University of Cincinnati professor who is credited with inventing the first computer virus in a controlled experiment as a USC graduate student, said he’s seen whole computer networks disabled by viruses. “It’s like germ warfare,” he warned.

Most recently, a seemingly innocuous program that displayed a Christmas tree and message was “widely distributed” through IBM’s electronic mail network on Dec. 11, according to IBM spokeswoman Linda Nardin.

But underlying it all was a virus designed to rifle through each recipient’s personal files in search of automatic routing lists. “If someone executed the file by typing the word ‘Christmas,’ the file was sent automatically to others on that person’s distribution list so it just proliferated,” Nardin explained.

The file went through the system, growing until it had produced “an excess volume of network traffic,” she said, “which slowed delivery of electronic mail.”

After IBM officials became aware of the problem, they were able that same day to trap the file and stop its propagation. Employees were alerted and told to delete the file when it was sent to them. Meanwhile, IBM officials developed a program which removed the file from the system.

IBM traced the virus-infected file “to a source outside of IBM in West Germany,” Nardin said. “That source had authorization to send electronic mail to users in our internal network. But I can’t get into specifics.”

Damage Was Limited

In the end, the virus affected “major IBM installations all over the United States,” Nardin confirmed. But the damage was limited to the electronic-mail network. “It was an inconvenience, really,” she said.

A computer virus is nothing more than a program--the instructions that tell a computer which functions to perform. But a computer virus differs from ordinary programs in one key aspect: It can reproduce itself.

In this way the computer virus is aptly named. By copying itself and attaching to innocent-looking programs, it can rapidly spread from one set of software or a floppy disk to another, usually through an electronic network. In malicious hands, it can do enormous damage long before it is detected.

“The thing that makes it a virus is infection,” Cohen explained. “When you run my program, your program becomes corrupt. When somebody runs your program, his program becomes corrupt. And so it goes.”

Like all computer programs, viruses can be constructed to do either good or evil. What concerns many experts, however, is that a virus could be inserted in a sensitive program by a prankster or disgruntled employee and wreak havoc. Hospital records could be destroyed, the air-traffic-control system confused, utilities shut down, manufacturing specifications flawed or even defense missile systems confounded.

In the hands of a terrorist, viruses could become dangerous tools. One national expert claims that he witnessed a test in which an international airport was shut down 13 minutes after a virus was introduced into the computer network.

“I don’t think it’s quite like terrorist groups having their own nuclear bombs, but it’s a potentially serious problem,” said Terry Gray, a former UCLA faculty member who studied viruses before becoming director of software engineering at Bridge Communications in Mountain View, Calif. “In certain communities where there’s reason to be concerned about security and integrity, there’s an increasing awareness of the risks.”

According to the alarmist point of view, no computer system or even individual PC is safe from a virus unless it is isolated--quarantined, in effect--from all others.

“As soon as you open yourself up to a network, you’re exposing yourself,” said Maria Pozza, a UCLA doctoral candidate in computer science and a consultant for the El Segundo-based Aerospace Corp., which does research, advanced planning and general systems engineering for the U.S. government on military space systems.

The emergence of the computer virus shows how technology has become such an integrated part of man’s communications. For instance, a virus couldn’t infect a system if computer networks weren’t so interrelated.

Like people, computers are sociable creatures; they routinely call each other up, talk and exchange information. Thus the very quality that makes computers so valuable is also what makes them so vulnerable.

“I don’t think we can reverse the need to share information,” Gray said. “It’s like trying to get Californians out of their automobiles and into public transportation.”

And yet, despite all the dire warnings about viruses, they are a hotly debated topic within the computing world today. In fact, a large segment of experts--from university professors to computer manufacturers like IBM and Hewlett-Packard--do not consider viruses to be an imminent threat.

“I have never seen one, nor do I personally know someone who has ever seen one,” Watkins said. “It’s always been a friend of a friend.”

“My professional opinion whenever I hear these stories,” noted software author Peter Norton of Norton Computing Co. in Santa Monica said, “is to believe that there’s a real grain of truth in them, but that they also tend to get exaggerated. It’s like the stories of the girl with the spider in the bouffant hairdo that we all heard in high school.

‘Urban Legends’

“These computer stories are examples of urban legends.”

In fact, Norton and others believe that virus hysteria is more sociological than practical, arising from the “magic” of the machine “that naturally arouses mystery, wonder or fear in peoples’ minds.”

“As computers take on more and more importance in people’s lives, there will be more and more mythology about them,” Norton said. “In general, people are happy about how computers help their lives, but also they’ve lost a certain degree of control because of them.”

Watkins agreed: “A lot of people still have a misconception of what computers do. The idea of a virus program is somehow easy for people to believe in. It’s something we want to believe in.”

Others speculate that viruses have become a “scapegoat” for anything that goes wrong with a computer these days. “It gives us a quick and easy solution by providing an excuse in cases when something happens that we can’t explain. In technology, even people who have lots of expertise still don’t know everything that’s happening inside that little box,” Watkins said.

In addition to the IBM holiday virus, new evidence suggests that several other documented viral attacks occurred in 1987.

In the upcoming February issue of Computers & Security, an official journal of the International Federation for Information Processing, editor Harold Highland detailed two previously unreported viral attacks last fall.

According to Highland, the first was made against NASA’s Space Physics Analysis Network, a worldwide library of space-related information with access to only unclassified data.

A computer group based in Hamburg, West Germany, known as the Chaos Computer Club, managed to penetrate the system by bypassing the operating systems security, then planted one or more viruses in the system, Highland claimed.

“NASA practically closed down the network to examine everything in it,” he reported. “Now the German government is prosecuting.” He described the perpetrators as “politically oriented hackers who do not believe in private property--a sort of computer version of the Weathermen.”

Now some people are wary of the NASA network, Highland maintained. “NASA is getting treated almost like a leper.”

A NASA spokesman in Washington confirmed the penetration but would not comment on whether a virus was involved.

Increase in ‘Crashes’

The second viral attack occurred at Pennsylvania’s Lehigh University computer center where microcomputer program disks were loaned to students for use in the university’s microcomputer laboratory. Soon, it was found that disks were being returned because they failed to work properly. And at the microcomputer lab, there was a sudden increase in the number of hard-disk “crashes.”

When the programs were examined, a virus was found--one cleverly hidden and almost impossible to detect.

So how was it discovered?

The university noticed that the date on the infected program was too recent; the original program had been written much earlier.

Damage was done, nevertheless. The university estimates that “several hundred” student disks were rendered useless as well as “several” hard disks in the microcomputer lab. The situation was serious enough to prompt Lehigh to send out a warning to other universities. Highland said the virus probably was picked up from a bulletin board, and the virus writer was someone with “a very, very sick mind.”

In other unrelated viral attacks last year, a so-called “Pakistani virus” infected an East Coast medical center and nearby university, destroying nearly 40% of patients’ records, and a so-called “Israeli” virus swept through IBM personal computers in Israel, primarily at Hebrew University in Jerusalem.

Researching the Problem

Were these the only viral attacks in 1987?

Almost certainly not. But no one knows how many occurred because companies, governments and others generally keep quiet about an outbreak. Otherwise, they could be ostracized.

Cohen, a frequent consultant for private companies and government agencies, said the federal government has several researchers working on the problem “in the classified domain,” including inside the National Security Agency.

Unlike Europe, where the exchange of information about viruses is much more open (a Swedish computer security group is even working on a manual for viral protection), “a lot of the problem here is that the government doesn’t really want you to talk that much about it,” Pozza said.

“The Europeans are light years ahead of us with the viruses,” Highland said. He believes that U.S. officials and businessmen worry too much that the more information released about viral attacks, the more “copycat” invasions will occur.

Watkins, who directs one of the largest PC-user networks in the country, notes that in six years of working in communications and looking at “thousands and thousands” of files, he has only seen two files that could have done damage.

“Both were extremely crude viruses, written with no craft at all,” he recalled. “They were so simplistic to be almost embarrassing. Everyone could have looked at those files and understood what was going on.”

Not a ‘Serious Problem’

Nor do computer companies seem overly concerned about the viral threat. “It’s not what we would define as a serious problem,” Hewlett-Packard spokesman Gene Endicott said. “Obviously, we have an interest in protecting ourselves against those types of invasions, and we’ve taken security steps to assure that we will not be subject to the problems associated with them.”

Yet some experts think all companies--especially computer vendors--should be paying more attention. “If I were at IBM or elsewhere, I’d feel it was worthwhile to invest some resources in it,” Gray said.

Highland says it’s a matter of do it now--or do it later: “All places, whether they like it or not, are going to wake up to the fact that it’s going to cost a heck of a lot less to try to maintain the integrity of a system than it is to clean it up.”

Already the market is responding to the increased interest in viruses. Minneapolis-based Digital Dispatch Inc. has developed “Data Physician,” a virus detection and removal software package.

Exactly what preventive measures--or antibodies--can be taken is another matter of dispute. Some experts argue that in the rush to link up systems and make computers easier to operate, vital security measures have been overlooked or bypassed.

But Cohen claims that for every measure developed to stop an infection, a virus could be programmed to overcome it. “There’s no perfect defense,” he said. “There are only imperfect defenses that work in lots and lots of cases.”