FOR IMMEDIATE RELEASE: Jan Kosko Sept. 22, 1989 301/975-2762 TN-XXXX COMPUTER SECURITY EXPERTS ADVISE STEPS TO REDUCE THE RISK OF VIRUS ATTACKS To reduce the risk of damage from potentially serious computer viruses, including one called "Columbus Day," experts at the National Institute of Standards and Technology (NIST), the National Computer Security Center (NCSC), and the Software Engineering Institute (SEI) are recommending several measures plus commonsense computing practices. "This advice is being offered to encourage effective yet calm response to recent reports of a new variety of computer virus," says Dennis Steinauer, manager of the computer security management and evaluation group at NIST. While incidents of malicious software attacks are relatively few, they have been increasing. Most recently, a potentially serious personal computer virus has been reported. The virus is known by several names, including "Columbus Day," Datacrime and "Friday the 13th." In infected machines it is designed to attack the hard-disk data-storage devices of IBM-compatible personal computers on or after October 13. The virus is designed to destroy disk file directory information, making the disk's contents inaccessible. (A fact sheet on this virus is attached and includes precautionary measures to help prevent damage.) While the Columbus Day virus has been identified in both the United States and Europe, there is no evidence that it has spread extensively in this country or that it is inherently any more threatening than other viruses, say the computer security experts. "Computer virus" is a term often used to indicate any self- replicating software that can, under certain circumstances, destroy information in computers or disrupt networks. Other examples of malicious software are "Trojan horses" and "network worms." Viruses can spread quickly and can cause extensive damage. They pose a larger risk for personal computers which tend to have fewer protection features and are often used by non- technically-oriented people. Viruses often are written to masquerade as useful programs so that users are duped into copying them and sharing them with friends and work colleagues. Routinely using good computing practices can reduce the likelihood of contracting and spreading any virus and can minimize its effects if one does strike. Advice from the experts includes: * Make frequent backups of your data, and keep several versions. * Use only software obtained from reputable and reliable sources. Be very cautious of software from public sources, such as software bulletin boards, or sent across personal computer networks. * Don't let others use your computer without your consent. * Use care when exchanging software between computers at work or between your home computer and your office computer. * Back up new software immediately after installation and use the backup copy whenever you need to restore. Retain original distribution diskettes in a safe location. * Learn about your computer and the software you use and be able to distinguish between normal and abnormal system activity. * If you suspect your system contains a virus, stop using it and get assistance from a knowledgeable individual. In general, educating users is one of the best, most cost- effective steps to take, says Steinauer. Users should know about malicious software in general and the risks that it poses, how to use technical controls, monitor their systems and software for abnormal activity, and what to do to contain a problem or recover from an attack. "An educated user is the best defense most organizations have," he says. A number of commercial organizations sell software or services that may help detect or remove some types of viruses, including the Columbus Day virus. But, says Steinauer, there are many types of viruses, and new ones can appear at any time. "No product can guarantee to identify all viruses," he adds. To help deal with various types of computer security threats, including malicious software, NIST and others are forming a network of computer security response and information centers. These centers are being modeled after the SEI's Computer Emergency Response Team Coordination Center, often called CERT, established by the Defense Advanced Research Projects Agency (DARPA). The centers will serve as sources of information and guidance on viruses and related threats and will respond to computer security incidents. In addition, NIST recently has issued guidelines for controlling viruses in various computer environments including personal computers and networks. NIST develops security standards for federal agencies and security guidelines for unclassified computer systems. NCSC, a component of the National Security Agency, develops guidelines for protecting classified (national security) systems. SEI, a research organization funded by DARPA, is located at Carnegie Mellon University in Pittsburgh. NOTE: Computer Viruses and Related Threats: A Management Guide (NIST Special Publication 500-166) is available from Superintendent of Documents, U.S. Government Printing Office, Washington, D.C. 20402. Order by stock no. 003-003-02955-6 for $2.50 prepaid. Editors and reporters can get a copy from the NIST Public Information Division, 301/975-2762. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Sept. 22, 1989 FACT SHEET Columbus Day Computer Virus Several reports of a new computer virus recently have been published in the media and throughout the data processing community. This virus has been referred to as "Columbus Day," "Friday the 13th," as well as "Datacrime I" or "Datacrime II." It attacks IBM-compatible personal computers running the MS-DOS/PC- DOS operating system. If activated, the virus will destroy disk file directory information, making files and their contents inaccessible. The following information has been compiled by NIST, NCSC, and SEI from several sources and is being made available for system managers to use in taking precautionary measures. NOTE: As with many viruses, there may be other, yet unidentified, variants with different characteristics. Therefore, this information is not guaranteed to be complete and accurate for all possible variants. NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II EFFECT: Performs a low-level format of cylinder zero of the hard disk on the target machine, thereby destroying the boot sector and File Allocation Table (FAT) information. Upon activation it may display a message similar to the following: DATACRIME VIRUS RELEASED:1 MARCH 1989 TRIGGER: The virus is triggered by a system date 13 October or later. (Note that 13 October 1989 is a Friday.) CHARACTERISTICS: Several characteristics have been identified:. 1. The virus, depending on its variant, appends itself to .COM files (except for COMMAND.COM), increasing the .COM file by either 1168 or 1280 bytes. In addition, the Datacrime II variant can infect .EXE files, increasing their size by 1514 bytes. 2. The 1168 byte version contains the hex string EB00B40ECD21B4. 3. The 1280 byte version contains the hex string 00568DB43005CD21. This virus reportedly was released on 1 March 1989 in Europe. It is unlikely that significant propagation could occur between the release date and mid-October; therefore, U.S. systems should be at a low risk for infection. If safe computing practices have been followed, the risk should be practically nil. However, managers believing their site may be at risk should consider taking precautionary measures, including one or more of the following actions: 1. Take full back-ups of all hard disks. If the disks are later found to have been infected and attacked by the virus, lost data can be recovered from the back-ups. Operating system and application software can be restored from original media. A full low-level disk format should be performed on the infected hard disk prior to restoration procedures. 2. Consider using a commercial utility that can assist in restoration of a disk directory and recovery of data. There are a number of such utilities on the market. Note that these utilities normally must be run prior to data loss to enable disk and file restoration. 3. Avoid setting the system date to 13 October or later until the systems have been checked for virus presence. 4. Attempt to determine if the virus is present in one or more files through one of the following techniques: a. If original file sizes are known, check for increased sizes as noted above. b. Use DEBUG or other utility to scan .COM and .EXE files for the characteristic hexadecimal strings noted earlier. c. Copy all software to an isolated system and set the system date to 13 October or later and run several programs to see if the virus is triggered. If activation occurs, all other systems will require virus identification and removal. d. Use a virus-detection tool to determine if this (or another) virus is present. Commercial products intended to detect or remove various computer viruses are available from several sources. However, these products are not formally reviewed or evaluated; thus, they are not listed here. The decision to use such products is the responsibility of each user or organization. - 30 - ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++A Suggested Readings List for Computer Viruses and Related Problems: Prepared by: John Wack National Institute of Standards and Technology September 22, 1989 ABSTRACT This document provides a list of suggested readings for obtaining information about computer viruses and other related threats to computer security. The primary intended audience is management as well as other technically-oriented individuals who wish to learn more about the nature of computer viruses and techniques that can be used to reduce their potential threat. The suggested readings may range from general discussions on the nature of viruses and related threats, to technical articles which explore the details of various viruses, the mechanisms they attack, and methods for controlling these threats to computer security. BASIC TERMS The following list provides general definitions for basic terms that are commonly used throughout the applicable literature. Some of the terms are relatively new and their definitions are not widely agreed upon, thus they may be used differently elsewhere. Computer Virus: A name for a class of programs that contain software that has been written to cause some form(s) of damage to a computing system's integrity, confidentiality, or availability. Computer viruses typically copy their instructions to other programs; the other programs may continue to copy the instructions to more programs. Depending on the author's motives, the instructions may cause many different forms of damage, such as deleting files or crashing the system. Computer viruses are so named because of their functional similarity to biological viruses, in that they can spread rapidly throughout a system. The term is sometimes used in a general sense to cover many different types of harmful software, such as trojan horses or network worms. Network Worm: A name for a program or command file that uses a computer network as a means for adversely affecting a system's integrity, reliability, or availability. From one system, a network worm may attack a second system by first establishing a network connection with the second system. The worm may then spread to other systems in the same manner. A network worm is similar to a computer virus in that its instructions can cause many different forms of damage. However a worm is generally a self-contained program that spreads to other systems, as opposed to other files. Malicious Software: A general term for computer viruses, network worms, trojan horses, and other software designed to deliberately circumvent established security mechanisms or codes of ethical conduct or both, to adversely affect the confidentiality, integrity, and availability of computer systems and networks. The software may be composed of machine-language executable instructions, or could be in the form of command files. Unauthorized User(s): A user who knowingly uses a system in a non-legitimate manner. The user may or may not be an authorized user of the system. The actions of the user violate established security mechanisms or policies, or codes of ethical conduct, or both. Trojan Horse: A name for a program that disguises its harmful intent by purporting to accomplish some harmless and possibly useful function. For example, a trojan horse program could be advertised as a calculator, but it may actually perform some other function when executed such as modifying files or security mechanisms. A computer virus could be one form of a trojan horse. Back Door: An entry point to a program or system that is hidden or disguised, often created by the software's author for maintenance or other convenience reasons. For example, an operating system's password mechanism may contain a back door such that a certain sequence of control characters may permit access to the system manager account. Once a back door becomes known, it can be used by unauthorized users or malicious software to gain entry and cause damage. Time Bomb, Logic Bomb: Mechanisms used by some examples of malicious software to cause damage after a predetermined event. In the case of a time bomb, the event is a certain system date, whereas for a logic bomb, the event may vary. For example, a computer virus may infect other programs, yet cause no other immediate damage. If the virus contains a time bomb mechanism, the infected programs would routinely check the system date or time and compare it with a preset value. When the actual date or time matches the preset value, the destructive aspects of the virus code would be executed. If the virus contains a logic bomb, the triggering event may be a certain sequence of key strokes, or the value of a counter. Anti-Virus Software: Software designed to detect the occurrence of a virus. Often sold as commercial products, anti-virus programs generally monitor a system's behavior and raise alarms when activity occurs that is typical of certain types of computer viruses. Isolated System: A system that has been specially configured for determining whether applicable programs contain viruses or other types of malicious software. The system is generally disconnected from any computer networks or linked systems, and contains test data or data that can be restored if damaged. The system may use anti-virus or other monitoring software to detect the presence of malicious software. Computer Security: The technological safeguards and management procedures that can be applied to computer hardware, programs, data, and facilities to assure the availability, integrity, and confidentiality of computer based resources and to assure that intended functions are performed without harmful side effects. SUGGESTED READINGS Brenner, Aaron; LAN Security; LAN Magazine, Aug 1989. Bunzel, Rick; Flu Season; Connect, Summer 1988. Cohen, Fred; Computer Viruses, Theory and Experiments; 7th Security Conference, DOD/NBS Sept 1984. Computer Viruses - Proceedings of an Invitational Symposium, Oct 10/11, 1988; Deloitte, Haskins, and Sells; 1989 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June, 1988. Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April, 1989. Dvorak, John; Virus Wars: A Serious Warning; PC Magazine; Feb 29, 1988. Federal Information Processing Standards Publication 83, Guideline on User Authentication Techniques for Computer Network Access Control; National Bureau of Standards, Sept, 1980. Federal Information Processing Standards Publication 73, Guidelines for Security of Computer Applications; National Bureau of Standards, June, 1980. Federal Information Processing Standards Publication 112, Password Usage; National Bureau of Standards, May, 1985. Federal Information Processing Standards Publication 87, Guidelines for ADP Contingency Planning; National Bureau of Standards, March, 1981. Fiedler, David and Hunter, Bruce M.; Unix System Administration; Hayden Books, 1987 Fitzgerald, Jerry; Business Data Communications: Basic Concepts, Security, and Design; John Wiley and Sons, Inc., 1984 Gasser, Morrie; Building a Secure Computer System; Van Nostrand Reinhold, New York, 1988. Grampp, F. T. and Morris, R. H.; UNIX Operating System Security; AT&T Bell Laboratories Technical Journal, Oct 1984. Highland, Harold J.; From the Editor -- Computer Viruses; Computers & Security; Aug 1987. Longley, Dennis and Shain, Michael; Data and Computer Security McAfee, John; The Virus Cure; Datamation, Feb 15, 1989. NBS Special Publication 500-120; Security of Personal Computer Systems: A Management Guide; National Bureau of Standards, Jan 1985. NIST Special Publication 500-166; Computer Viruses and Related Threats: A Management Guide; National Institute of Standards and Technology, Aug 1989. Parker, T.; Public domain software review: Trojans revisited, CROBOTS, and ATC; Computer Language; April 1987. Schnaidt, Patricia; Fasten Your Safety Belt; LAN Magazine, Oct 1987. Shoch, J. F. and Hupp, J. A.; The Worm Programs: Early Experience with a Distributed Computation; Comm of ACM, Mar 1982. Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue Technical Report CSD-TR-823, Nov 28, 1988. Thompson, Ken; Reflections on Trusting Trust (Deliberate Software Bugs); Communications of the ACM, Vol 27, Aug 1984. Tinto, Mario; Computer Viruses: Prevention, Detection, and Treatment; National Computer Security Center C1 Tech. Rpt. C1- 001-89, June 1989. White, Stephen and Chess, David; Coping with Computer Viruses and Related Problems; IBM Research Report RC 14405 (#64367), Jan 1989. Witten, I. H.; Computer (In)security: infiltrating open systems; Abacus (USA) Summer 1987.