Computer-Virus Threat No Longer as Threatening
Many PC users are taking steps to defend themselves
PITTSBURGH — TWO-and-a-half years after the dreaded Michelangelo computer virus gained international prominence, the world is beginning to take the virus threat in stride.
``The numbers are growing predictably,'' says Robert Bales, executive director of the National Computer Security Association (NCSA) in Carlisle, Pa.
``It's something we can deal with,'' adds Richard Ford, editor of the Virus Bulletin, a British monthly based in Oxford, England. ``People have started to take sensible precautions.''
Viruses are software programs created to sneak into personal computers. Computer users, therefore, have had to protect themselves. Sometimes these programs take control of a machine to leave a humorous message; sometimes they destroy data. Once they infiltrate one machine, they can spread into another, most often through diskettes that unwitting friends or co-workers pass around.
Although more people have come in contact with a virus, the threat is actually stabilizing. Virus experts point to several factors.
* Steady growth. Instead of the exponential growth that antivirus researchers saw a few years ago, the number of viruses is now growing at a steady rate. Researchers say they are seeing about 200 to 300 new viruses every month.
That is not as troubling as it might sound. The vast majority of these programs go directly from the author to antivirus labs and never invade a user's machine. The top 10 viruses in the US account for about 80 percent of the incidents, according to the NCSA. (See chart.)
* Savvier users. Ever since the Michelangelo virus burst onto the scene in 1992, computer users have become more aware of the problem. Many, particularly in the business world, are taking steps to defend themselves. According to a new NCSA study of 150 companies, more users are encountering viruses: 80 percent compared with 63 percent two years ago. But the number of virus-related disasters, affecting 25 machines or more, has hardly climbed at all: 9.5 percent versus 9 percent in 1992.
* New operating systems. Most of the viruses are written for DOS, the operating system used by IBM-compatible personal computers. DOS, however, is being phased out as users switch to the more graphical Windows interface.
The next version of Windows, due out by May, will not even require DOS at all. It's an open question how many virus authors will make the jump to write for the Windows environment. Some of the most notorious virus authors are leaving the business entirely. ``Dark Avenger,'' a shadowy Bulgarian who almost single-handedly turned that country into a virus powerhouse, has not been heard from for months.``Dark Avenger seems to have retired,'' says Graham Cluley, product specialist for S&S International, a British company that makes the popular Dr. Solomon's Anti-Virus Toolkit. ``I think he's given up.''
Earlier this year, Scotland Yard arrested a young man it claims is the author of two new sophisticated viruses called ``SMEG.pathogen'' and ``SMEG.queeg.'' (SMEG stands for ``simulated metamorphic encryption generator,'' a term used in a popular British science-fiction television series.) Just before the Scotland Yard arrest, the author made public the code of his SMEG software engine and accompanying instructions so that other virus writers could use it.
``It was the most complex virus that we had ever seen,'' Mr. Cluley says. The program SMEG.pathogen and its follow-on are polymorphic, meaning that they look different virtually every time they invade a program. That makes them very hard to detect by virus-scanning software.
As viruses multiply, scanners are having to look for so many variants that they are in danger of slowing down, says Mr. Ford of Virus Bulletin.
But virus-fighting companies have their own tricks. Cluley says his program now scans for more than one thing at a time, which allows it to run almost as fast today, searching for 4,900 viruses, as it did two years ago, when it only had to search for 1,600 viruses.
The company has also automated its own processes. Its ``generic decryption detector'' has cut the time to break polymorphic virus code from three to four days to 20 minutes.
Corporate users in particular are taking advantages of these antivirus defenses. ``Almost all my clients have some kind of virus detection on their network,'' says Ron Hale, senior manager of information-protection consulting at Deloitte & Touche LLP, a consulting firm based in Wilton, Conn. That's a big change from two years ago, he adds.