|
–Geoff-Hart.com: Editing, Writing, and Translation —Home —Services —Books —Articles —Resources —Fiction —Contact me —Français |
You are here: Articles --> pre-1995 --> Beware the virus!
Vous êtes ici : Essais --> pre-1995 --> Beware the virus!
by Geoffrey Hart
Previously published as: Hart, G.J. 1989. Beware the virus! Computer Shopper, June:260–261, 439, 442.
Until recently, I was complacently content that computer viruses and their unpleasant kindred had confined themselves to the world of IBM. This was only fitting, as I felt that anyone who would purchase a living artifact from the world of computer prehistory deserved what they got. But then my brother-in-law, an Amiga owner, informed me that a substantial portion of his public domain disks had been wiped out suddenly and inexplicably, and a member of our Atari user group informed me that his hard drive had been erased without warning when he tried out some new software downloaded from a BBS. Friends, it seems that those dreaded software saboteurs have arrived in the world of the ST. If you will bear with me, I’ll describe the problem we face and provide you with a few effective tools and techniques for reducing the risk of such sabotage.
First off, let me define what I’m talking about. The problem that faces us is one of sabotage, a deliberate effort to damage the software and data that we invested so much electronic sweat equity collecting. The byproducts of an otherwise talented programming mind that suddenly switched from the act of creation to that of destruction. Why this change has occurred does not concern us so much as the implications of the change. What faces us is the knowledge that there is now an electronic form of disease that is very much like biological disease in the way it infects the bodies of computers and the damage it does.
A software virus is a small program that inserts itself into the body of your computer (that is, the memory and the storage devices) in much the same way that a biological virus inserts itself into your own body. It takes over the operations of your computer for some nefarious (or, at the very least, counterproductive) purpose, most commonly to make more viruses. The archetypical virus borrows some of those spare clock cycles your CPU isn’t really using (let’s face it, at 8 MHz, most STs spend 99% of their waking lives waiting for you to hit a key) and uses the time to make more copies of itself. The most benign virus simply copies itself into the computer’s memory until there is no space left for you to use; more malevolent viruses, like the one that infested my brother-in-law’s disks, copy themselves onto your disks, consuming valuable space and eventually overwriting and destroying the legitimate data stored there.
A software tapeworm is an electronic parasite that works in a slightly different fashion. Tapeworms are particularly cunning programs that attach themselves to a formerly healthy piece of software and burrow in, hiding themselves and feeding on spare bits of memory. A tapeworm uses an innocent-seeming piece of software that you always used to trust to get around the computer world, to grow at the expense of your productivity. Like a virus, the tapeworm lives on unused clock cycles in your computer, but unlike the virus, a tapeworm doesn’t necessarily reproduce itself. It may simply grow in size, or it may spend its life moving from disk to disk, browsing on data as it goes. There are few truly benign tapeworms, but malevolent tapeworms can set about systematically hunting down data to feed on, and replacing it with even more tapeworm. (John Brunner wrote a very interesting description of tapeworms in his 1975 novel The Shockwave Rider.) Unlike viruses, which typically move from disk to disk only when copy functions are performed, the “tapeworm” can patch itself into your operating system and intelligently navigate from place to place, reproducing when necessary, until it attains the goal it was programmed to seek. Tapeworms are said to have arisen from the innocent experimentation with a game known as Core Wars, where small pieces of program code moved about in the memory of a computer, hunting each other down until only one program remained “alive.”
The final, most nasty, form of computer disease is the so-called Trojan Horse. As you'll recall, the Trojan Horse was a nifty giant wooden sculpture of a horse left at the gate of Troy as a gift from the apparently defeated Greeks. When the Trojans took the horse inside the walls of their city to add it to their collection of lawn furniture, the Greeks who had hidden inside the horse stole out under cover of the night, opened the city gates, and allowed their colleagues to sneak in and conquer the city. Odysseus, the most clever of the ancient Greeks, is said to have come up with the idea, and although he has been called a hero because of his voyage home after the war (chronicled in The Odyssey), reading this book left me with the impression that he was a pretty unsavory character. Maybe there is some Trojan in my background?
In any event, the analogy of the Trojan Horse is an apt one. It takes a cunning mind to come up with the idea that a piece of software seemingly intended as a gift is actually teeming with Greek warriors intent on invading your computer and destroying its data. One can admire the subtlety required to do this even while one despises the end result. And the end result of a Trojan Horse is almost always the same—the destruction of your carefully hoarded data (usually by a subprogram that formats your disk, erasing all the information on it). I suppose there are some Trojan Horses out there that have more innocent purposes, such as a surprise announcement in the middle of your video game that “We're here!!!” But it’s the other sort we usually hear about. Worse yet, some of these programs are time bombs—they do exactly what they are supposed to do (e.g., play games, write letters, etc.) until a certain date comes up, then they explode on you. I don’t have a battery-backed system clock, so my date is always being reset to December 1985 when I turn on the computer. I haven’t been tempted to reset my clock since I first read about time bombs.
The purists will note that my definitions and descriptions are somewhat arbitrary. There are undoubtedly some pieces of software out there that have some of the characteristics of all three categories that I have described. For the moment, let my descriptions stand. They’re functional enough to allow us to understand the many ways our computers can be invaded and conquered. And, more importantly, they enable us to see how some very simple precautions can safeguard our software, our effort and our sanity.
The most obvious precaution is also the most commonly overlooked: make a safe backup copy of your software, and hide the original disk somewhere safe. (See the following for details on safe copying.) The bathroom is not safe—you can’t catch a computer virus from a dirty toilet seat, at least not yet, but you never know what we'll discover in the future. In any event, find somewhere dry, cool, and dust-free to store your original disks. A metal safe or strongbox is a very effective place, particularly since it will protect your diskettes from stray electromagnetic radiation. If the software is copy protected, contact the manufacturer about obtaining a second copy. Most will be quite willing to oblige you for a nominal fee if you assure them you're not planning to resell the copy to a friend. If all else fails, and while you are waiting for the backup copy to arrive, slide the write-protect notch on your disk so that it is physically impossible for any computer diseases to spread to the disk. (In this sense, computers are luckier than humans. No electronic saboteur can write itself to such a protected disk, since the write-protect notch physically prevents your disk drive from writing to the disk; by contrast, given enough time to evolve, many biological viruses will overcome virtually any protection the human body can come up with.)
The next step is to be a bit paranoid, and to assume that any piece of software that hasn’t been ordered direct from a reputable manufacturer is out to get you. Public domain software should not be trusted. A software disease can only spread to an unprotected disk by installing itself in memory and making a copy of itself with the unwitting help of the operating system. If you are planning to use any “safe” disks, turn off your computer completely (do a “cold” reboot) before you insert the new disk. This will erase the computer's memory entirely, so that when you start up once again, all that is there is what Atari intended to be there (plus whatever accessories are on the disk you use to boot with—and the fewer of these, the better, since you may not be able to trust accessories that didn’t come straight from Atari). A “warm” reboot (where you press that little button on back of the ST that restarts the computer without actually cutting power) is not good enough. Certain programs have been set up in such a way that they can survive a warm reboot and still keep on ticking. (A very good, benign example of this is the widely available public domain “eternal RAMdisk.”) Assume that some day in the future, an equally robust virus will come along, too.
If you want to be sure that a disk is free of viruses, do not use any public domain software to either format or copy it; use only the software that comes built in to your ST in the operating system’s menus. The reason for this is that we can trust Atari to have provided us with software that will do what it is supposed to do, even if we can’t trust their new product announcements. If you use public domain software (much of which is far more powerful and flexible than the TOS format and copy programs), you have no way of knowing if a tapeworm has been inserted in the software. If you think this sounds alarmist, bear in mind that one infamous public domain program that was intended to protect IBM computers and compatibles from viruses had been borrowed by a virus programmer, rereleased onto the bulletin boards, and turned out to be a Trojan Horse that formatted the owner’s hard drive. For similar reasons, the only copy program you can trust is the one that comes with TOS, or a commercially available substitute.
To sum up: if you want to produce a formatted, secure, disease-free disk, do a cold reboot and then use the format function in the file menu provided by TOS. If you want to copy files, do a cold reboot, insert the source disk and then use the mouse to select the files to be copied (i.e., drag the mouse pointer across the specific files to be selected), then drag these files to the destination disk. Under no circumstances drag the disk icon itself, as you would do to copy the entire disk at once. “But you just told us that Atari wouldn’t do anything nasty to us. Now you're saying we can’t trust their disk copy function?” Well, I did tell the truth, but I just omitted a few choice items until the time was right to bring them up. One of the nasty things about viruses is that they can hide so well that they’re virtually invisible without the use of a disk editor program (the electronic equivalent of a microscope—an electron microscope, in fact). If you copy the entire disk at once, these hidden files will be copied too in many cases. So copy the files rather than the whole disk, and if you won’t use TOS, at least use a safe program to do so. There is another good reason to do this. If you have added and deleted many files to the source disk, the File Allocation Table will become a bit fragmented; that is, the gaps left by deleted programs won't be totally filled in most cases. If you copy the entire disk, you get an exact copy, right down to the unusable empty space; if you copy one file at a time, you end up with more usable space on the copy disk.
One special case of the “hidden virus” problem has been built into the way your ST operates on disks. To maintain conformity with the MS-DOS disk format, the TOS format program was designed to provide for a boot sector on each disk you format. TOS mostly doesn’t use this sector, other than for certain autoboot disks. For this reason, your ST can read a disk that has been formatted on an IBM PC or compatible (i.e., which contains a boot sector), but a PC cannot read an ST disk unless the boot sector has been formatted in a way that the PC recognizes. What this means is that there is a blank space on your ST disk that isn’t ordinarily accessed. However, a particularly nasty class of viruses is able to install itself in that sector, and a whole-disk copy will copy the virus, too. Software that searches the boot sector for any hidden programs does exist (e.g., George R. Woodside’s excellent public domain “Virus killer” program), and it tries to correct this problem by analyzing then sterilizing the boot sector and destroying the presumed virus. Since your ST generally doesn’t use this sector, the procedure is painless and effective. The better solution is still to make sure that there’s nothing there in the first place.
Tapeworms can be particularly nasty because their cunning allows them to hide in otherwise safe-looking code. When they do so, they become undetectable short of dissecting the program with a disk editor and searching for telltale clues. (I lack this skill entirely, but there are some programmers out there who do know what to look for. In case you're wondering, this is a hint for one of you to write a followup article to this one to provide details.) The end result can be every bit as nasty as the original Trojan Horse—something that really does look useful and valuable but that contains a hidden danger.
This sort of sabotage can be detected in one very obvious way—to do its damage, the concealed program must access your disk and write to it (usually either to make a copy of itself or to format the disk). It follows that if your disk is write-protected, you are safe. Thus, when the game program that you are playing, which has no save game function and no high score file, tries to write to your disk, there’s a good bet that something fishy is happening— and you'll be glad that the disk is protected. If you have a hard drive, this is more of a problem, since the innovative engineers who brought us this technology neglected to install a physical write-protect device such as we have on our humble floppy disks. (Nobody’s perfect!) Fortunately, software protection exists. One public domain program that I have seen is called “protect.acc,” and it stops all attempts to write to any installed disk drive until you remove the protection.
If you’ve been thinking about what I just said, you'll have noticed a serious flaw in the logic. Some programs, by their very nature, must write to the disk. The word processor I wrote this article on would be pretty useless if it couldn’t save text files to disk. The problem, then, is a particularly nasty one: how can you tell when the word processor is legitimately writing to the disk, and when it is doing its best to erase many hours of work? (To be fair, the word processor may be entirely innocent, and the culprit may be an invisible program that has installed itself in memory. Remember my advice to do a cold reboot before using safe software? The same advice applies to using any program where it is important to save data to disk.)
I wish I could offer you a good answer to this sort of sabotage, but I’m afraid I can’t, not even in theory. It should be quite possible to produce a memory resident program that traps all attempts to write to a disk, and pops up a dialogue box warning you; in fact, the dialog box might well specify what activity was tried (e.g., a write or format) and to what disk drive it was directed. You might be offered an opportunity to cancel the operation or continue with it, or the program might simply stop in its tracks. It is also possible to store in a safe place the file size of every program in your library, and check every program to see if it has “grown” (i.e., had something added to it). But a really clever programmer could probably work his way around these forms of protection, and you can bet someone will do it some day. Short of avoiding all public domain software entirely, which is an entirely unsatisfactory solution, I can only repeat my warnings to follow the procedures detailed in all cases where you can’t afford to lose your programs or data. To be absolutely safe, keep your disks for different programs separate so that infections won’t spread—if you have your First Word files on one disk, save your POWRITER files on another. And do a cold reboot before you switch to First Word or after you've finished with PDWRITER. In this way, if worst comes to worst and you are hit by a virus, the number of disks that you lose will be reduced greatly. If you follow my advice on rebooting and using TOS to copy individual files from disk to disk, you can then make backup copies of the saved files with little fear of copying the virus, too. For your information, the new TOS ROMs will offer a keyboard equivalent to the cold reboot, so you won't even have to reach around the back of the ST to reboot. If you resent the idea of having to reboot, then console yourself that this will at least free up any memory that has been eaten by RAM disks etc.
If you follow my recommendations scrupulously, you should be safe from electronic contagion for the forseeable future. You'll also be doing a lot of extra work that may not be necessary, that will be time-consuming, and that will be a frustratingly primitive way of using your computer. In an ideal world, none of this would be necessary. Although the ST world is still a pretty safe place, and you can probably get away without these precautions for some time yet, the question you have ask yourself is a simple one: what investment in time and money have you sunk into your software, and are you prepared to risk that investment now that you know the saboteurs are out there? I’m cautious by nature, and I plan to be more cautious in the future.
One final note should be made for our “friends” the software pirates. We're all familiar with the moral arguments against software piracy, and I won’t rehash them here. But if you haven’t been persuaded to clean up your act by the moral arguments, how about by a good dose of fear? There are strong rumors that some professional programmers have decided to become saboteurs in their own right. To gain revenge on the parasitic pirates, they have released “cracked” versions of their own programs into the pirate underground. (A “cracked” program is one that has been stripped of its copy protection so that it can be copied and passed on to other pirates, who can use it without paying a cent to the owner.) To the horror of many a would-be pirate, increasingly many of these programs are booby-trapped with particularly subtle viruses, Trojan Horses, and tapeworms. In one celebrated case, two Pakistani brothers ran a “pirate software’ operation whereby they sold famous and expensive software (e.g., WordPerfect) for little more than the price of the disks. Approximately a year after they began this business, purchasers of the stolen software around the world suddenly discovered that they had committed electronic suicide by importing a particularly nasty Trojan Horse.
My gut feeling is one of admiration—I wish I had thought of that, because it’s a particularly fitting, if cruel, form of poetic justice. However, many innocent people suffered as well, simply because they permitted a friend or coworker to use the sabotaged software on their computer, ignorant of the fact that the software had been pirated. For this reason, I don’t wholly condone these actions, because you shouldn’t have to question the honesty of your friends before allowing them to use your computer.
©2004–2024 Geoffrey Hart. All rights reserved.