Approaching Zero - Paul Mungo (books to read to increase intelligence .txt) 📗
- Author: Paul Mungo
- Performer: -
Book online «Approaching Zero - Paul Mungo (books to read to increase intelligence .txt) 📗». Author Paul Mungo
instance—then, once loaded on to a computer, it searches out other programs to
infect. It is generally harmless in that it never attacks data files, the ones
users actually work on, so it can’t cause serious damage. Its nuisance value
comes in eradicating it: deleting programs and then replacing them can be
timeconsuming.
In the meantime, to stop the virus from spreading any farther, the company
decided to shut down the entire network of 1,500 computers, leaving machines
and staff idle. The technical-support specialists estimated that killing the
bug and replacing the programs would take them two or three hours at the most.
But by mid-afternoon they realized that they had underestimated the size of the
job, and arranged to come in over the weekend. In the end, the technical
staff worked for four days, Friday through Monday, before they were satisfied
that all the machines were free of the virus. During that time computers and
staff were inactive, neither processing work in progress nor going ahead with
anything else.
The computers worked well for the next three days, but then, at ten A.M. on
Thursday, July 4th, the virus was rediscovered. In a routine scan of one of the
computers with the new antiviral software, one member of a small crew working
over the Independence Day holiday received a big shock: Yankee Doodle was back.
The technical specialists, called into the offices from their homes, discovered
to their horror that this time 320 machines had been infected and when they
asked the maker of the antiviral software for an explanation, they were simply
told, “You missed a spot.
The company was forced to shut ctown Its Computers again, and again staff and
machinery sat idle while the support staff searched laboriously through every
program on all 1,500 machines. There was no damage: the bug was eradicated and
the programs reinstalled without even a byte of data lost. But the lack of
damage disguised the virus’s real cost in downtime. By the time Yankee Doodle
had been completely eradicated, the company had suffered one week of lost
production, one week in which 1,500 staff were idle, one week of irrecoverable
business. The company never quantified its loss, but it is estimated to run
into the hundreds of thousands of dollars—all from what was purported to be a
harmless virus.
Since 1990 virus researchers have pieced together a history of Yankee Doodle.
It was first spotted in 1989 in the United Nations offices in Vienna on a
computer game called Outrun. The game is proprietary, though unauthorized
pirate copies are often passed , around on diskette. Someone, somewhere, is
thought to have infected a copy of the game, accidentally or deliberately, and
the Virus began its travels, first to Vienna, then around the world courtesy of
the United Nations. Though there are known to be fifty-one versions of the
virus, they are all based on one original
prototype. And that program, despite the virus’s all-American name, was written
in Bulgaria.
In the same month that the California publishing company was trying to
eradicate Yankee Doodle, a major financial-services house on the other side of
the country was hit by another bug. This one wasn’t a joke; it was deliberately
malicious.
The first symptoms appeared when one of the secretaries was unable to print out
a letter she had just entered into her computer. In such cases people usually
follow the same routine: the secretary checked the paper, switched both the
computer and the printer off and on, and then fiddled with the connecting
cables. Still nothing printed out. Finally she rang her company’s
technical-support office.
When the specialist arrived, he began running tests on the affected machine.
First he created a new document and tried printing it out, but that didn’t
work. He then guessed that the word-processing program itself was defective,
that one of its files had become corrupted and was preventing the machine from
printing. He went to another computer and copied out the list of program files
used by the company, which showed the names of the programs and their size, in
bytes (or characters). He then compared the files on the problem machine with
the list. Everything matched, except that eight of the files on the affected
computer were slightly larger than on the other. He checked the differences,
and in each case the files on the problem machine were exactly 1,800 bytes
larger.
With that information, the specialist knew immediately that the company had
been hit by a virus; he also knew it was 1,800 bytes long and attached itself
to program files. He called his supervisor, who hurried over with a
virus-detection diskette. They inserted it in the infected computer and
instructed it to check the machine for viruses. Program file names appeared
briefly, one by one on the screen, as the virus detector bustled through its
checks, examining each file for known bugs. After five minutes, a message
appeared on the screen: it stated that eighty-three files had been checked and
no virus had been found. In exasperation, the supervisor called the vendor of
the virus-detection program.
“It does sound like you’ve got a virus,” the vendor agreed. ‘But if it’s not
getting picked up by our software, then it must be a new virus. Or a new strain
of an old one.”
Most virus-detection programs operate by looking for known characteristics of
familiar viruses—in other words, for a string of text or a jumble of
characters that is known to be contained within the program of a previously
discovered bug. Such virus detection kits are, of course, unable to detect new
or modified viruses.
At the suggestion of the vendor, the technical-support staff began a search of
one of the infected files, looking for text or messages. Specialized software
is needed to inspect the inside of the program file; during the inspection the
screen displays a jumble of computer code. But within the code the staff saw
two strings of text: EDDIE LIVES … SOMEWHERE IN TIME! said the first. The
second announced: THIS PROGRAM WAS WRITTEN IN THE CITY OF SOFIA
1988—1989 (C) DARK AVENGER.
The supervisor phoned the vendor again: “Who the hell is the Dark Avenger?”
The short answer, the vendor explained patiently, is that no one knows. The
Dark Avenger is an enigma. Most virus writers remain anonymous, their viruses
appearing, seemingly, out of the ether, without provenance or claimed
authorship, but the Dark Avenger is different: not only does he put his name to
his viruses, he also signals where they were written—Sofia, the capital of
Bulgaria. The Dark Avenger’s viruses began seeping into the West in 1989. They
are all highly contagious and maliciously destructive.
“The virus you’ve been hit with is called Eddie, or sometimes the Dark Avenger,
the vendor told the increasingly worried technical-support supervisor. “It must
be a new strain or something. That’s why it wasn’t picked up. Is there any
other text message, a girl’s name?”
The supervisor took a closer look at the virus. “I missed it
before. There’s another word here, Diana P. What does this thing do?”
“Well, as it’s a new version, the answer is I don’t know. Until we’ve seen a
copy, it’s anybody’s guess.”
To discover what a virus actually does, it has to be disassembled, its
operating instructions—the program—taken apart line by line. This is a
difficult and timeconsuming process and can be carried out only by
specialists. In the meantime the technical support staff could only wait and
watch as the virus spread slowly through the company, bouncing from machine to
machine via the network cables that interlinked the company’s 2,200 computers.
Viruses like Eddie work by attaching a copy of themselves to an executable
file; whenever an infected program is used, the virus springs into action. It
usually has two tasks: first, to find more files to infect; then, after it has
had enough time to spread its infection to release its payload. It was obvious
that Eddie was spreading so it was already performing its infection task. What
was worrying was what its payload would prove to be.
To arrest the spread of the bug, it was decided to turn off all the computers
in the company and wait until the virus could be cleaned out. It was a
difficult decision—it would mean downtime and lost business—but it was a
sensible precaution. It was later discovered that the payload in the Eddie
variant was particularly malicious. When unleashed, it takes occasional
potshots at the hard disk, zapping any data or programs it hits. The effect is
equivalent to tearing a page out of a book at random. The loss of the pages may
not become evident until one can’t be found. But on a computer, if the loss
goes undetected over a period of time, then the backup files, taken as a
security measure in case of problems with the originals, could also have pages
missing. The slow corruption of data is particularly insidious. Any computer
breakdown can cause a loss of data, necessitating some reentry of the affected
transactions since the last backup. But if the backups are also affected, then
the task could become impossible. At worst, the data could be lost forever.
In this instance some data was irrecoverably destroyed, even though only sixty
machines were found to be infected. But, in a sense, the company had been
lucky: because Eddie had taken a potshot at a secretary’s word-processing
program and knocked out its print capability, it was discovered fairly early
on. Had it lurked undetected for longer, it could have destroyed even more
data.
The process of checking all 2,200 computers in the company took four and a half
days, with a team of twelve people working twelve hours a day. Every executable
file on every hard disk on every machine had to be checked. The team had
special programs to help with the task, but viruses could easily get wrapped up
inside “archived” files—files that are compressed to save computer space—
where they can escape detection. All archived files had to be expanded back to
their full size, checked, and then packed away again. That took time. Also, all
diskettes had to be checked, a nearly impossible task given the difficulty in
finding them: diskettes have a habit of disappearing into black holes in desk
drawers, in briefcases, in storage cupboards.
The computer diskette has now assumed the generality of paper as a medium for
storing information. Staff with home computers often carry diskettes to and
from their office, and it makes sense that diskettes containing valuable data
should be stored off-site, as a precaution against problems with the office
computer. But the home PC also encourages the transfer of viruses among families. A student might transfer a virus from college to home; a parent might
transfer a virus from home to office. For the most part, viruses are spread
innocently, but there is now such a large traffic in diskettes that it is
usually impossible to trace the source of an infection.
After seven hundred hours of intensive effort, the technicalf support staff
felt confident they had eliminated all traces of Eddie. Their confidence was
short-lived. Within a week Eddie was back. This time they lost a further one
and a half days’ work. (Because it is very difficult to remove all traces of a
virus, 90 percent of victims suffer a recurrence within thirty days.)
After the final bout of Eddie was cleared away, executives of
the company tried to quantify how much the bug’s visit had cost them—not that
any of it would be recoverable from insurance. “We lost $500,000 of business—
really lost business, not orders deferred until we could catch up, but business
that had to be done there and then or it went to a competitor,” said
Comments (0)