Invasion of the Data Snatchers
By Philip Elmer-DeWitt
Froma Joselow was getting ready to bang out a newspaper story when the invisible intruder struck. Joselow, a financial reporter at the Providence Journal-Bulletin, had carefully slipped a disk holding six months' worth of notes and interviews into one of the newsroom computers when the machine's familiar whir was pierced by a sharp, high-pitched beep. Each time she tried to call a file to the screen, the warning DISK ERROR flashed instead. It was as if the contents of her floppy disk had vanished. "I got that sinking feeling," recalls Joselow. "Every writing project of mine was on that disk."
In the Journal-Bulletin's computer center, where Joselow took her troubled floppy, the detective work began immediately. Using a binary editor -- the computer equivalent of a high-powered magnifying glass -- Systems Engineer Peter Scheidler examined the disk's contents line by line. "What I saw wasn't pretty," says Scheidler. "It was garbage, a real mess." Looking for a way to salvage at least part of Joselow's work, he began peering into each of the disk's 360 concentric rings of data.
Suddenly he spotted something that gave him a chill. Buried near Sector 0, the disk's innermost circle, was evidence that the glitch that had swallowed six months of Joselow's professional life was not a glitch at all but a deliberate act of sabotage. There, standing out amid a stream of random letters and numbers, was the name and phone number of a Pakistani computer store and a message that read, in part: WELCOME TO THE DUNGEON . . . CONTACT US FOR VACCINATION.
Joselow had been stricken by a pernicious virus. Not the kind that causes measles, mumps or the Shanghai flu, but a special strain of software virus, a small but deadly program that lurks in the darkest recesses of a computer waiting for an opportunity to spring to life. The computer virus that struck Joselow had been hiding in the memory of the newspaper's machine and had copied itself onto her data disk, scrambling its contents and turning the reporter's words and sentences into electronic confetti.
What was the intruder doing in the newsroom computer? Who had unleashed it and to what purpose? This particular virus was ultimately traced to two brothers who run a computer store in, of all places, Lahore, Pakistan. The brothers later admitted that they had inserted the program into disks they sold to tourists attracted to their store by its cut-rate prices. Their motive: to "punish" computer users for buying and selling bootleg software and thus depriving merchants of potential sales.
The Pakistani virus is only one of a swarm of infectious programs that have descended on U.S. computer users this year. In the past nine months, an estimated 250,000 computers, from the smallest laptop machines to the most powerful workstations, have been hit with similar contagions. Nobody knows how far the rogue programs have spread, and the exact mechanism by which they select their innocent victims -- resting harmlessly in some computers and striking destructively in others -- is still a mystery.
What is clear, however, is that a once rare electronic "disease" has suddenly reached epidemic proportions. Across the U.S., it is disrupting operations, destroying data and raising disturbing questions about the vulnerability of information systems everywhere. Forty years after the dawn of & the computer era, when society has become dependent on high-speed information processing for everything from corner cash machines to military-defense systems, the computer world is being threatened by an enemy from within.
Last week in Fort Worth, a jury heard evidence in what prosecutors describe as the epidemic's first criminal trial. A 40-year-old programmer named Donald Gene Burleson is accused of infecting a former employer's computer with a virus-like program that deleted more than 168,000 records of sales commissions. Burleson says he is innocent, but he was ordered to pay his former employer $12,000 in a civil case based on similar charges. If convicted, he could face ten years in prison.
A virus, whether biological or electronic, is basically an information disorder. Biological viruses are tiny scraps of genetic code -- DNA or RNA -- that can take over the machinery of a living cell and trick it into making thousands of flawless replicas of the original virus. Like its biological counterpart, a computer virus carries in its instructional code the recipe for making perfect copies of itself. Lodged in a host computer, the typical virus takes temporary control of the computer's disk operating system. Then, whenever the infected computer comes in contact with an uninfected piece of software, a fresh copy of the virus passes into the new program. Thus the infection can be spread from computer to computer by unsuspecting users who either swap disks or send programs to one another over telephone lines. In today's computer culture, in which everybody from video gamesters to businessmen trades computer disks like baseball cards, the potential for widespread contagion is enormous.
Since viruses can travel from one place to another as fast as a phone call, a single strain can quickly turn up in computers hundreds of miles apart. The infection that struck Froma Joselow hit more than 100 other disks at the Journal-Bulletin as well as an estimated 100,000 IBM PC disks across the U.S. -- including some 10,000 at George Washington University alone. Another virus, called SCORES for the name of the bogus computer file it creates, first appeared in Apple Macintosh computers owned by Dallas-based EDS, the giant computer-services organization. But it spread rapidly to such firms as Boeing and Arco, and has since turned up in computers at NASA, the IRS and the U.S. House of Representatives.
Many of America's 3,000 electronic bulletin-board systems have suffered some kind of infection, as have hundreds of users groups and thousands of businesses. "It is the topic of conversation within the computing society," says John McAfee, head of InterPath, a computer firm in Santa Clara, Calif.
So far, real disaster has been avoided. No killer virus has penetrated the country's electronic funds-transfer system, which is essential to the operation of the nation's banks. No stock- or commodity-exchange computer centers have crashed. No insurance-company rolls have been wiped out. No pension funds have had their records scrambled. No air-traffic-control systems have ground to a halt. And the U.S. military-defense system remains largely uncompromised, although there have been published reports of virus attacks at both the FBI and the CIA.
But most experts warn that the worst is yet to come. "The viruses we've seen so far are child's play," says Donn Parker, a computer-crime expert at SRI International in Menlo Park, Calif. Parker fears that the same viruses that are inconveniencing personal-computer users today could, through the myriad links and entry points that connect large networks, eventually threaten the country's most vital computer systems. Agrees Harold Highland, editor of Computers & Security magazine: "We ain't seen nothing yet."
At last count, more than 25 different viral strains had been isolated, and new ones are emerging nearly every week. Some are relatively benign, like the virus spread through the CompuServe network that causes machines equipped with voice synthesizers to intone the words "Don't panic." Others are more of a nuisance, causing temporary malfunctions or making it difficult to run isolated programs. But some seem bent on destroying valuable data. "Your worst fear has come true," wrote a computer buff in a report he posted on an electronic bulletin board to warn other users about a new Macintosh virus. "Don't share disks. Don't copy software. Don't let anyone touch your machine. Just say no."
Who are the perpetrators of this mischief? At first glance they seem an odd and varied lot. The Pakistani brothers are self-taught programmers isolated from the rest of the computer community. Two viruses exported to the U.S. from West Germany, by contrast, were bred in academia and spread by students. Other outbreaks seem to have come directly out of Silicon Valley. Rumor has it that the SCORES virus was written by a disgruntled Apple employee.
But some observers see an emerging pattern: the virus writers tend to be men in their late teens or early 20s who have spent an inordinate portion of their youth bathed in the glow of a computer screen. Scientific American Columnist A.K. Dewdney, who published the first article on computer viruses, describes what he calls a "nerd syndrome" common among students of science and technology. Says Dewdney: "They live in a very protected world, both socially and emotionally. They leave school and carry with them their prankish bent."
Thomas Lunzer, a consultant at SRI, believes the proliferation of microcomputers in schools and homes has exacerbated the problem. A powerful technology became widely available without the development of a code of ethics to keep that power in check. "We're harvesting our first crop of a computer- literate generation," says Lunzer. "The social responsibility hasn't caught up with them."
A case in point is Drew Davidson, a 23-year-old programmer from Tucson, who has achieved some notoriety as the author of the so-called Peace virus, which flashed an innocuous greeting on thousands of computer screens last spring. A study in self-contradiction, Davidson rails against those who would create malignant viruses, calling them "copycats" and "attention seekers." Yet he cheerfully admits that he created his virus at least in part to draw attention to his programming skills. "In the beginning, I didn't think it would have this kind of impact," he says. "I just thought we'd release it and it would be kind of neat."
On March 2, when several thousand Macintosh owners turned on their machines, they were greeted by a drawing of planet earth and a "universal message of peace" signed by Richard Brandow, a friend of Davidson's and the publisher of a Canadian computer magazine. The virus did no harm. It flashed its message on the screen and then erased its own instructions, disappearing without a trace.
But what made this virus special was how it spread. Brandow, who collaborated with Davidson in creating it, inserted the virus into game disks that were distributed at meetings of a Montreal Macintosh users group. A speaker at one meeting was a Chicago software executive named Marc Canter, whose company was doing some contract work for Aldus Corp., a Seattle-based software publisher. Canter innocently picked up a copy of the infected disk, tried it out on his office computer, and then proceeded, on the same machine, to review a piece of software being prepared for shipment to Aldus. Unaware that he had thereby passed on the hidden virus to the Aldus program, Canter sent an infected disk to Seattle. There the virus was unwittingly reproduced by Aldus employees, inserted in several thousand copies of a graphics program called Freehand, and shipped to computer stores around the country. It was the first known case of a virus spreading to a commercial software product.
The Peace virus capped a series of outbreaks that began last December, when a seemingly harmless Christmas greeting appeared mysteriously on terminals connected to a worldwide network owned and operated by IBM. Users who followed the instructions on the screen and typed the word Christmas inadvertently triggered a virus-like self-replicating mechanism, sending an identical copy of the original program to every name on their personal electronic mailing lists. In a matter of days, clones of the tiny program had multiplied in such profusion that they clogged the 350,000-terminal network like so many hairs in a bathtub drain.
Later that month, scientists at Jerusalem's Hebrew University reported that some of their desktop computers were growing lethargic, as if a hidden organism were sapping their strength. Once again, the problem was traced to a rapidly multiplying program that was consuming computer memory. This program carried something else as well. Within its instructional code was a "time bomb" linked to each computer's internal clock and set to go off on the second Friday in May -- Friday the 13th, the 40th anniversary of the State of Israel. Any machine still infected on that date would suffer the instant loss of all its files. Fortunately, the virus was eradicated well before May 13, and the day passed without incident.
The alarm caused by the appearance of these three viruses was amplified by two groups with a vested interest in making the threat sound as dramatic as possible. On one side are the computer-security specialists, a small group of consultants who make $100 an hour or more by telling corporate computer users how to protect their machines from catastrophic failure. On the other is the computer press, a collection of highly competitive weekly tabloids that have seized on the story like pit bulls, covering every outbreak with breathless copy and splashy headlines.
Meanwhile, entrepreneurs eager to profit from the epidemic have rushed to market with all sorts of programs designed to protect against viruses. In , advertising that frightens more than it informs, they flog products with names like Flu Shot +, Vaccinate, Data Physician, Disk Defender, Antidote, Virus RX, Viru-Safe and Retro-V. "Do computer viruses really exist? You bet they do!" screams a press release for Disk Watcher 2.0, a product that supposedly prevents virus attacks. Another program, VirALARM, boasts a telling feature: it instructs an IBM PC's internal speaker to alert users to the presence of a viral intruder with a wail that sounds like a police siren.
Comparisons with germ warfare and sexually transmitted diseases were perhaps inevitable. A virus that struck Lehigh University quickly got tagged "PC AIDS." That analogy is both overstated and insensitive, but it stems from a real concern that the computer revolution, like the sexual revolution, is threatened by viruses. At Apple, a company hit by at least three different viral strains, employees have been issued memos spelling out "safe computing practices" and reminded, as Product Manager Michael Holm puts it, "If you get a floppy disk from someone, remember that it's been in everybody else's computer too."
The publicity has triggered a certain amount of hysteria. Systems managers have imposed elaborate quarantines on their companies' machines. Computer columnists have advised readers to put their PCs under lock and key and, in one radical proposal, to disconnect their machines permanently from all data networks and telephone lines. Data-processing managers have rushed to stock up on antiviral programs. "We're seeing panic buying by those who have already been hit," says William Agne, president of ComNetco, which publishes Viru- Safe. When a virus showed up at the University of Delaware, the assistant manager of academic computing services immediately bought six different pieces of antiviral software. Then she began screening every floppy disk on campus -- some 3,000 in all.
In some cases, the threat of a virus is enough to spread panic. When scientists at the Lawrence Livermore National Lab were warned by a Government security center last May that a virus lurking in the lab's 450 computers was set to be activated that day, many users stopped work and began feverishly making backup copies of all their disks. The warning of a virus proved to be a hoax, but in such an atmosphere, says Chuck Cole, Livermore's deputy computer- security manager, "a hoax can be as disruptive as the real thing."
Industry experts are concerned that the publicity surrounding virus ) infections, like the attention given political kidnapings, could invite more attacks. "When we talk viruses, we create viruses," cautions Robert Courtney, a computer consultant from Kingston, N.Y. "We almost make it a self-fulfilling prophecy."
But the ranks of those who would dismiss the virus threat as a Chicken Little scare are getting smaller with every outbreak. Mitchell Kapor, founder of Lotus Development and now chairman of ON Technology, became a believer when some of his associates were infected. "It isn't the fall of Western civilization," says Kapor, "but the problem is real and the threat is serious." Scientific American's Dewdney has had a similar change of heart. "At first I thought these new outbreaks were much ado about nothing," he says. "But I'm now convinced that they are a bigger threat than I imagined."
The idea of an electronic virus was born in the earliest days of the computer era. In fact, it was Computer Pioneer John von Neumann who laid out the basic blueprint in a 1949 paper titled "Theory and Organization of Complicated Automata." If most of his colleagues found the idea that computer programs might multiply too fantastic to be taken seriously, they can be forgiven, for the paper predated the first commercial electronic computers by several years. But a handful of scientists quietly pursued Von Neumann's ideas, keeping them alive in the scientific literature until they sprang to life ten years later at AT&T's Bell Laboratories, in the form of a bizarre after-hours recreation known as Core War.
Core War was the brainstorm of three Bell Labs programmers then in their early 20s: H. Douglas McIlroy, Victor Vysottsky and Robert Morris. Like Von Neumann, they recognized that computers were vulnerable to a peculiar kind of self-destruction. The machines employed the same "core" memory to store both the data used by programs and the instructions for running those programs. With subtle changes in its coding, a program designed to consume data could be made instead to consume programs.
The researchers used this insight to stage the first Core War: a series of mock battles between opposing armies of computer programs. Two players would write a number of self-replicating programs, called "organisms," that would inhabit the memory of a computer. Then, at a given signal, each player's organisms did their best to kill the other player's -- generally by devouring their instructions. The winner was the player whose programs were the most abundant when time was called. At that point, the players erased the killer programs from the computer's memory, and that was that.
These clandestine battles, which took place late at night when computer usage was low, were quietly sanctioned by Bell Labs' bemused managers, many of whom were senior scientists. The fun soon spread to other leading computer- research facilities, including Xerox's Palo Alto Research Center and the artificial-intelligence lab at M.I.T.
In those early days, when each computer was a stand-alone device, there was no threat of a runaway virus. If things got out of control on a particular machine, its keepers could simply shut it down. But all that changed when computers began to be connected to one another. A self-replicating organism created in fun could be devastating if loosed upon the world of interconnected machines. For that reason, the Core War combatants observed an unspoken vow never to reveal to the public the details of their game.
In 1983 the programmers' code of honor was broken. The culprit was Ken Thompson, the gifted software engineer who wrote the original version of Unix, the computer operating system now coming into widespread use. Thompson was being presented the Association for Computing Machinery's prestigious A.M. Turing Award when he gave a speech that not only revealed the existence of the first computer viruses but showed the audience how to make them. "If you have never done this," he told them, "I urge you to try it on your own."
His colleagues were aghast, but the secret was out. And the revelation was further compounded by Dewdney's landmark article in the May 1984 issue of Scientific American, which described Core War and offered readers who sent $2 for postage a copy of the guidelines for creating their own viral battlefields.
Soon software viruses began appearing in university computer systems and in the widely proliferating desktop computers. A rogue program that made the rounds of Ivy League schools featured a creature inspired by Sesame Street called the Cookie Monster. Students trying to do useful work would be interrupted by persistent messages saying "I want a cookie." In one variation, the message would be repeated with greater and greater frequency until users typed the letters C-O-O-K-I-E on their terminal keyboards.
But not all viruses are so playful. One particularly vicious program deletes everything stored on the computer and prints the word GOTCHA! on the screen. Another takes the form of a game called "rck.video." It delights unsuspecting users with an animation featuring the singer Madonna before erasing the files on their disks. Then it chortles, "You're stupid to download a video about rock stars."
Such pranks enrage the original Core War programmers. McIlroy and his friends took care that their high-tech high jinks did not put other people's programs and data at risk. "I'm amazed at how malicious some of today's players are," says McIlroy, who is now a senior member of the technical staff at Bell Labs. "What was once a friendly, harmless game has deteriorated into something that is neither friendly, harmless, nor a game."
So far, the mainframe computers that do much of the most vital information processing in the U.S. remain relatively unscathed. "With mainframes, we've got a whole regimen of quality control and data integrity that we use," says Bill Wright, a spokesman for EDS. But with the rapid spread of PC-to-mainframe linkups, that safety could be compromised. "If the same sorts of standards aren't applied soon to the PC environment," says Wright, "it's going to be a real problem for the whole industry."
In the past, companies that were hit by a virus generally kept it quiet. But the computer-sabotage trial in Fort Worth may be a sign that things are changing. Texas is one of 48 states that have passed new laws against computer mischief, and four years ago President Reagan signed a federal law that spelled out harsh penalties for unauthorized tampering with Government computer data. But most statutes were written before viruses surfaced as a major problem, and none mention them by name. In May an organization of programmers called the Software Development Council met in Atlanta to launch a movement to plug that loophole in the law. Declares Michael Odawa, president of the council: "I say, release a virus, go to jail."
Some computer users are not waiting for legal protection. Don Brown, a Macintosh enthusiast from Des Moines, responded to the Peace virus outbreak by writing an antiviral program and giving it away. Brown's Vaccine 1.0 is available free on most national computer networks, including CompuServe, the Source and GEnie. InterPath's McAfee fights viruses from a 27-ft. mobile home known as the Bugbuster. Carrying up to six different computers with him, he pays house calls on local firms and colleges that have been infected, dispensing advice and vaccines and, like a good epidemiologist, taking samples of each strain of virus. Lately he has been averaging more than 30 calls a day. Says he: "You're always trying to stay one step ahead or as close behind as possible."
Like a biological vaccination, a vaccine program is a preventive measure -- an attempt to protect an uninfected disk from invasion by an uninvited program. Most software vaccines take advantage of the fact that computer viruses usually hide themselves in one of a few locations within the machine's control software. A typical vaccine will surround those memory locations with the equivalent of a burglar alarm. If something tries to alter the contents of one of those cells, the vaccine program is supposed to stop everything and alert the operator. But because there are so many different viral strains out there, vaccines are often ineffective.
Once a computer has been hit by a virus, the invader can sometimes be eradicated by a special program that searches out and erases each bit of foreign material. Generally, however, the simplest way to bring an infected computer back to health is to shut it down, purge its memory and all its disks, and rebuild its files from scratch. Programs should be loaded from the original manufacturer's copy, and new disks should be carefully screened for the presence of an unwanted intruder. There are any number of products that will do this, usually by searching for files that are suspiciously long and may be harboring a virus.
But none of these antiviral programs are foolproof. Virus writers are constantly making end runs around the barricades erected against them. Even a total purge of a computer system is no guarantee against reinfection. McAfee reports that 3 out of 4 of the installations he visits suffer a relapse within a week, usually from disks missed on the first go-round or carried in from the outside. In recent months, a pesky new type of virus has emerged. So-called retroviruses are designed to reappear in systems after their memories have been wiped clean. Other viruses infect a computer's hardware, speeding up a disk drive, for example, so that it soon wears itself out. Particularly dangerous are bogus antiviral programs that are actually viruses in disguise and spread infection rather than stop it.
Where will it end? The computer world hopes that the novelty of software viruses will pass, going the way of letter bombs and poisoned Tylenol. But even if the epidemic eventually eases, the threat will remain. The uninhibited program swapping that made the early days of the computer revolution so exciting may be gone forever. Never again will computer buffs be able to accept a disk or plug into a network without being suspicious -- and cautious.
With reporting by Scott Brown/San Francisco and Thomas McCarroll/New York, with other bureaus