Computer Viruses--Is the Threat as Real as Hype?

The rumors started vibrating in late August: A new electronic virus, capable of crippling the operations of millions of personal computers, had been unleashed in Europe and was triggered to begin exploding throughout the United States on Oct. 13.

By early September, “virus busters” across the nation were mobilized.

The alarm was sounded by a young, energetic computer security officer in Washington, who persuaded a Nashville computer engineer, well connected in “hacker” circles, to create an antidote that was tested on a sample of the virus held by a retired computer science professor from Long Island. Their efforts worked.

By the time the virus--alternately known as “Friday the 13th” or “Data Crime”--was set to detonate today, thousands of anxious PC owners from Augusta to Anaheim were able to check their systems for the infection and prevent the possible loss of vital information.

This unprecedented effort, the first of such nationwide proportions, has provided a big boost for the virus detection industry, a loose but fast-growing fraternity of self-styled detectives, reformed hackers and righteous computer engineers out to eradicate the pernicious electronic critters--and turn a buck for their efforts.

But, at the same time, the episode has set off a fierce debate about the true severity of this and other virus threats, and whether such intense exposure generates hysteria and preys on computer owners’ insecurities, luring them into buying expensive--and possibly unneeded--computer security systems.

“It’s been a media virus, not a computer virus,” bellows John McAfee, director of the 2-year-old Computer Virus Industry Assn. in Santa Clara and an outspoken critic of the current flurry of anti-virus efforts. “There won’t be anything happening (today). We have a phantom here.”

Indeed. According to Dennis Steinauer, manager of computer security management at the National Institute of Standards and Technology in Washington, the much-dreaded Friday the 13th virus was discovered in only about a dozen PCs in the weeks before it was set to explode.

Electronic viruses are software programs that are deliberately appended to legitimate software. Their key characteristic is that they are capable of reproducing themselves endlessly, either through computer networks or the innocent sharing of infected data disks among PC users.

Viruses can spread good cheer--one wished startled PC users at International Business Machines a Merry Christmas--but most inflict damage by destroying data or clogging a machine’s operations to the point of near overload.

The Friday the 13th strain, one of at least three similar infections created by rogue computer hackers in Northern Europe earlier this year, is considered particularly pernicious because it can wipe out the instructions governing how information is stored on the hard disks of certain PC models, rendering their contents completely inaccessible.

The virus was aimed at IBM personal computers and compatible models, the most popular of all PC systems, putting an estimated 25 million to 30 million machines potentially at risk.

However, most experts now agree that the threat was greater that the true impact. “The bottom line is that it appears to have been blown totally out of proportion,” Steinauer says. “It has driven people over the edge.”

It also, apparently, has driven customers into the arms of waiting salesmen.

Computer security officials tell of being peppered over the last several weeks with brochures offering virus screening programs, antidotes, vaccines and other infection-fighting systems. Several claimed to work against Friday the 13th, while others just mentioned the current threat as evidence that no personal computer could be considered immune from infection without its owner having taken the proper precautions. Prices ranged from nothing to hundreds of dollars.

“It’s been like people who sell burglar alarm systems coming to your door with pictures of ransacked houses and families that have been devastated,” complains McAfee, who himself sells several computer security systems. “Of course, this is a legitimate business for a legitimate problem, but like anything else, there have been abuses.”

Though highly visible these days, the virus-busting portion of the large and well-established computer security industry is still quite new, and small. But it is growing. And so, too, are its supposed targets.

According to McAfee, reports of virus infections to his institute are currently running at the rate of 10,000 per month, nearly twice that of 1988. He says 10 new strains were discovered in the last two months, three alone in just the last two weeks.

Anti-viral programs, which go by such colorful names as “Data Physician,” “Flushot,” “Interferon” and “Disk Defender,” first showed up on the market about three years ago. Ranging in price from “free for the asking” to upward of $500, these products can, in their most elementary form, detect the presence of a virus, and, at their most sophisticated, automatically contain and disarm it.

But although the number of available products has increased to nearly two dozen--including an entry just two weeks ago from IBM--industry experts estimate that total sales are still considerably under $20 million per year.

The first tip about the latest infection apparently came from an anonymous oil company security officer working in Northern Europe who reportedly heard that the virus was being shipped to the United States. He is said to have told a friend, Tom Patterson, a 30-year-old computer security officer for Centel Federal Systems in Washington.

Patterson, who claims a background as a government intelligence operative, alerted the media and then turned to Winn Schwartau, a Nashville computer software engineer, for a quick antidote for Centel’s customers.

Schwartau says he leaned on his sources in the computer hacker underground for the code to the virus, and ultimately tested his detection program on a copy of the virus held by Harold J. Highland, a retired computer science professor who publishes Computers & Security, a respected industry journal, from his home in Elmont, N.Y.

According to Schwartau, at least 50,000 copies of his antidote, at about $25 a piece, have been sold in the last week. Countless copies of similar programs, some at considerably higher prices, were sold by other companies, some newly formed.

Early entrants into the field worry that the current flap will give their fledgling business a bad name. “A lot of companies are trying to capitalize on the virus hysteria,” says Michael Riemer, president of Foundation Ware, a 4-year-old Cleveland computer security firm.

Perhaps Riemer’s biggest concern is that computer users will mistakenly believe that because they have purchased one anti-viral product they are forever immune to all electronic infections, an error equivalent to believing that inoculation against the swine flu will protect against an invasion of the Hong Kong variety. Without a comprehensive security program and repeated checkups, Riemer says, no system is out of danger.

Others worry that vaccines and antidotes just egg on renegade programmers. “These anti-virus efforts just pose a challenge to these programmers to dream up yet another virus that will be undetectable,” says Donn Parker, a computer security expert at SRI, a Menlo Park think-tank. “And they’ll do it. That’s the game.”

Parker’s solution is to stop talking about viruses as though they were the electronic equivalent of nuclear holocaust. “This virus problem is serious only because of the potential losses, not the actual ones,” he says. “This whole episode has been like the scares of the 1960s when we all thought the hippies would put LSD in the nation’s water supplies.”

To Schwartau, the Nashville engineer, such notions are the equivalent of ignoring AIDS because it has infected a small percentage of the world’s total population. “That’s nuts, and you know it,” he says.

Still, he admits that things did get a little out of hand these last few weeks. “Did it become a media event?” Schwartau repeats. “Well, sort of. But it has focused corporate America on the problem of computer viruses.”

Adds the government’s Steinauer: “If this has done nothing more than get people to back up their computer disks, which they probably haven’t done since they bought the machines, then it’s not a half-bad thing.”

BACKGROUND

Although the first electronic viruses were discovered nearly two decades ago, these infectious software programs have gained momentum and attention recently because the proliferation of personal computers and computer networks makes their creation and transmission far easier than in the past. There are no completely foolproof ways to avoid infection; the simplest precautions a PC user can take are to carefully screen incoming data and routinely make copies of all stored information.