The term ``computer
virus'' was formally defined by Fred Cohen in 1983, while he performed academic
experiments on a Digital Equipment Corporation VAX system. Viruses are
classified as being one of two types: research or ``in the wild.'' A research
virus is one that has been written for research or study purposes and has
received almost no distribution to the public. On the other hand, viruses which
have been seen with any regularity are termed ``in the wild.'' The first
computer viruses were developed in the early 1980s. The first viruses found in
the wild were Apple II viruses, such as Elk Cloner, which was reported in 1981 [Den90]. Viruses have
now been found on the following platforms:
- Apple II
- IBM PC
- Macintosh
- Atari
- Amiga
Note that all viruses
found in the wild target personal computers. As of today, the overwhelming
number of virus strains are IBM PC viruses. However, as of August 1989, the
number of PC, Atari ST, Amiga, and Macintosh viruses were almost identical (21,
22, 18, and 12 respectively [Den90]). Academic studies have shown that viruses are
possible for multi-tasking systems, but they have not yet appeared. This point
will be discussed later.
Viruses have ``evolved''
over the years due to efforts by their authors to make the code more difficult
to detect, disassemble, and eradicate. This evolution has been especially
apparent in the IBM PC viruses; since there are more distinct viruses known for
the DOS operating system than any other.
The first IBM-PC virus
appeared in 1986 [Den90]; this was the Brain virus. Brain was a boot sector virus and remained resident.
In 1987, Brain was followed by Alameda (Yale), Cascade, Jerusalem,Lehigh, and Miami (South African Friday the 13th). These viruses expanded the target executables to include COM
and EXE files. Cascade was encrypted to deter disassembly and detection. Variable
encryption appeared in 1989 with the 1260 virus. Stealth viruses, which employ various
techniques to avoid detection, also first appeared in 1989, such as Zero Bug, Dark Avenger and Frodo (4096 or 4K).
In 1990, self-modifying viruses, such as Whale were introduced. The year 1991 brought the GP1 virus, which is ``network-sensitive'' and
attempts to steal Novell NetWare passwords. Since their inception, viruses have
become increasingly complex.
Examples from the IBM-PC
family of viruses indicate that the most commonly detected viruses vary
according to continent, but Stoned, Brain, Cascade, and members of the Jerusalem family, have spread widely and continue to
appear. This implies that highly survivable viruses tend to be benign,
replicate many times before activation, or are somewhat innovative, utilizing
some technique never used before in a virus.
Personal computer
viruses exploit the lack of effective access controls in these systems. The
viruses modify files and even the operating system itself. These are ``legal''
actions within the context of the operating system. While more stringent
controls are in place on multi-tasking, multi-user operating systems,
configuration errors, and security holes (security bugs) make viruses on these
systems more than theoretically possible.
This leads to the following
initial conclusions:
- Viruses exploit weaknesses in operating system controls
and human patterns of system use/misuse.
- Destructive viruses are more likely to be eradicated.
- An innovative virus may have a larger initial window to
propagate before it is discovered and the ``average'' anti-viral product
is modified to detect or eradicate it.
It has been suggested
that viruses for multi-user systems are too difficult to write. However, Fred
Cohen required only ``8 hours of expert work'' [Hof90] to build a virus that could penetrate a UNIX system.
The most complex PC viruses required a great deal more effort.
Yet, if we reject the
hypothesis that viruses do not exist on multi-user systems because they are too
difficult to write, what reasons could exist? Perhaps the explosion of PC
viruses (as opposed to other personal computer systems) can provide a clue. The
population of PCs and PC compatibles is by far the largest. Additionally,
personal computer users exchange disks frequently. Exchanging disks is not
required if the systems are all connected to a network. In this case large
numbers of systems may be infected through the use of shared network resources.
One of the primary
reasons that viruses have not been observed on multi-user systems is that
administrators of these systems are more likely to exchange source code rather
than executables. They tend to be more protective of copyrighted materials, so
they exchange locally developed or public domain software. It is more
convenient to exchange source code, since differences in hardware architecture
may preclude exchanging executables.
The advent of remote
disk protocols, such as NFS (Network File System) and RFS (Remote File System),
have resulted in the creation of many small populations of multi-user systems
which freely exchange executables. Even so, there is little exchange of
executables between different ``clusters'' of systems.
Kesimpulan tambahan
berikut dapat dibuat:
- Menyebarkan virus memerlukan populasi besar sistem
homogen dan tukar menukar software dieksekusi.
sumber:
0 komentar:
Posting Komentar