BKBURGER.RVW 921206 Computer Viruses and Data Protection Ralph Burger 1991, 353 pp., general audience Abacus, 5370 52nd Street SE, Grand Rapids, MI 49512 1-55755-123-5 A most telling quote is to be found on page 31 of this book. In answer to the question, " What do you think about the publication of information about computer viruses", Burger quotes a "highly knowledgeable" although "secret" source as saying: "I feel that it's the people who know the least about it that talk the most. You tend to hear little from people who actually understand something about computer viruses. ... You don't have to include instructions on how to use computer viruses." The quote is telling on three counts: 1) Burger tends to go on at great length (350 pages) without giving out much information, 2) there is little hard information in the book which would be of use to the average home or corporate user concerned about protection against viral programs, and 3) Burger's fancy for publishing viral source code seems to have no purpose except to build notoriety. (Before all the virus-writer-wannabes rush out to order copies, let me state that he doesn't publish much, and what he publishes is not very good.) Burger's propensity for publishing source code might be easier to take if the book itself was a valuable resource. It isn't. The writing style is disorganized and hard to follow, the information is untrustworthy and recommendations for security are weak, outlandish or aimed at problems unrelated to the current computer virus situation. Even Burger's vocabulary bears little relation to the jargon of virus research. He invents the phrase "logical virus" in a section on viral-like programs. The definition makes little sense, and one suspects that Burger is simply confusing it with a "logic bomb". In another section the author confuses the aspect of the "von Neumann" computer architecture which means that the program and data share the same "storage" space with the "von Neumann bottleneck" having to do with limitations on processing speed. One is left with the feeling that Burger has gathered a great volume of information, and is publishing it without truly understanding it. A section is devoted to the work of Fred Cohen. A subsection refers to "Cohen's Contradictory Virus". It seems to be related to Cohen's proof, by contradiction, that the problem of identification of any given program as "viral" or "non-viral" is undecidable. In Burger's book, however, there is no proof, little logic, and only patches of pseudo-code which really don't demonstrate anything. In fact, a great deal of the book consists of statements which are made and never supported. I read my wife the section on "virus experts", and her immediate reaction was "doesn't he have to *prove* any of that?" (Among other things, the section seems to indicate that most virus research is being conducted in grave secrecy by governments and large corporations.) At the same time, Burger's closing statements and opinions are so weakly worded that one is reminded of the hapless TV reporter in "Doonesbury" who is never able to make a definitive proclamation on any subject, no matter how simple. (An amusing example of this: Chapter 3 is entitled "Computer Virus Dangers", Chapter 4 is "Is There a Danger?") Burger's writing style is very difficult. Even with section headings and marginal annotations it is extremely difficult to follow the discussion. There is very little structure to the flow of arguments, and occasional bizarre changes of subject. At one point Burger reproduces a letter that he sent to various corporations, and then complains that the poor response he got indicates that the companies did not understand the gravity of the virus situation. While the one point that I can agree with Burger on is his repeated assertion that too few people are "virus literate", I can certainly sympathize with the companies. They probably couldn't understand his letter. It is hard to understand why certain information was included, and other material was not. The chapter on specific viral programs spends five pages listing eight viral programs: it also spends five pages giving the names of thirty "trojan" programs, which presumably could be renamed at will. The "Lehigh" virus, generally thought to be almost extinct "in the wild", is described: "Stoned" and "Michelangelo" are quite notable by their absence. (While "Brain" is one of the viri described, the book nowhere deals with the functions of boot sector viral programs.) No Mac viri are described or listed although there is one example each from the Atari and Amiga environments. The chapter on protection strategies, while it does have some useful points, also places heavy emphasis on such bizarre suggestions as writing custom software for all applications, or running everything from EPROMs. (It also suggests the use of CD-ROM for software media, apparently unaware of the fact that CD-ROMs have already been shipped with infected software.) A section on an "EDP High Security Complex" may prevent people from contaminating a keyboard with spilled coffee, but won't do much to prevent viral infections. A specific recommendation is instructive. Burger twice suggests the use of the RENAME system proposed by A. G. Buchmeier. On an MS-DOS system, all .EXE files are to be renamed to .XXX extensions. There are then to be started with a simple START.BAT file which contains the instructions: ren %1.XXX %1.EXE %1 ren %1.EXE %1.XXX (To be fair, Burger does give a listing of a fuller START.BAT which deals with COM files as well.) While this system would be somewhat effective against most "direct action" viral programs, it would create great problems for the many systems today which rely on cooperation between programs which "call" each other at need. It would also be of no use against "resident" viral programs which infect on "file open": the programs would be infected as soon as they were renamed or run. (Interestingly, it would be rather effective against "system" or "FAT" viral programs.) Errors are legion. Some mistakes are understandable and unimportant, such as referring to the "Jerusalem" virus as the "Israeli PC" and "TSR" virus (p. 68). Others might have more significance, such as the statement that the "Israeli PC" virus makes all infected files into TSRs (p. 68). In some places the book contradicts itself, warning against BBSes and shareware on page 129 and yet saying that the danger of receiving viri from data transfer is no higher than through other means on page 292. Still other statements are flatly impossible, such as the assertion that the DEFENDER trojan "[writes] to ROM BIOS" (p. 110). It would be pointless to try to list them all, but I would be willing to bet that there are not three consecutive pages in the book which do not contain errors of fact. Chapter 5 is supposed to give examples of viral programs. (In fact, most of the chapter is occupied by reprints of the McAfee VIRLIST.TXT and an early version of Jan Terpstra's virus signature list.) Of the virus description material that Burger wrote, the only entries which do not contain errors are those which don't contain any information. (One of the errors that Burger makes is highly amusing. He examines Fred Cohen's calculations in support of the assertion that a virus could not appear spontaneously by a generation from random errors. "Correcting" Dr. Cohen's figures, and factoring in the increasing speed of computers, he comes up with a figure of ten to the 283rd power for the number of years before a virus is generated. He sees this as "slightly different" and indicative of the possibility of such a virus. He is obviously boggled by the large numbers: even given the most enthusiastic boosts for the increase in the number of computers and computing power, he still would come up with a figure that is not only longer than recorded history, but more than twenty five times greater than the entire age of the known universe.) Burger's stated purpose in publishing the viral source (Preface, page viii) is to show how easy it is to write a virus. In this aim, he must be said to fail miserably. Although the assembly listings in the book will hold no terrors for those with a significant background in low-level programming in the MS-DOS environment, those people wouldn't need any direction on how to build a virus. A "batch" virus, which would be easily within the range of the intermediate user, turns out to use DEBUG in order to build some small but vital components, with completely unexplained parameters. Those who are familiar with the architecture know that building a virus is trivial: those who aren't will not find here a convincing demonstration of ease. Another excuse for including the code (p. 315) is to "illustrate the weak points in your computer system". Again, this rationale is unconvincing. Few readers, outside of those familiar with assembly programming, would be either able or willing to compile and test the code provided. (Indeed, Burger, only five paragraphs beyond the previous statement, warns readers *not* to "proceed with risky tests of virus programs".) Certainly, the code itself proves nothing in terms of the strengths and weaknesses of any computer system. More extensive "case histories" of either viral infestations or specific viral programs would have been far more convincing. Burger's attitude to this business of virus source code is strangely inconsistent. Although there is source code listed in the book, Burger specifically states that he will not publish the source for his VIRDEM.COM program. Although he doesn't publish the source, a copy of the VIRDEM program is supposed to be on the companion disk for the book. I didn't get one: the companion disk was not shipped with the book. I'm not hurt: VIRDEM is out in the wild anyway and I have a copy from another source. The situation of the missing companion disk raises another point. The book advertises Burger's own "Virus Secure for Windows", as does a catalogue for other Abacus products bound into the back of the book. However, I have been informed by Abacus that "Virus Secure for Windows" is no longer available. For all of its flaws, the book is a very complete overview of the topic in that it ranges over all possible related subjects. Although he often fails to distinguish between the "blue sky" possible and the "here and now" real, Burger's speculations do touch on a number of topics which are too often lost in the immediate concerns about current data security problems. For those who are completely new to the field, this book is too untrustworthy to recommend as a primer. Neither will it be very useful to those looking for direction on protecting either home or corporate systems. For those with some serious study of viral programs or data security, the book raises interesting points for discussion, although the specifics asserted may have to be tested and challenged. For those who are interested in writing their own viral programs - fortunately, this book is *not* going to be a big help. copyright Robert M. Slade, 1992 BKBURGER.RVW 921206 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 Author "Robert Slade's Guide to Computer Viruses" (Oct. '94) Springer-Verlag