A Suggested Readings List for Computer Viruses and Related Problems: Prepared by: John Wack National Institute of Standards and Technology September 22, 1989 ABSTRACT This document provides a list of suggested readings for obtaining information about computer viruses and other related threats to computer security. The primary intended audience is management as well as other technically-oriented individuals who wish to learn more about the nature of computer viruses and techniques that can be used to reduce their potential threat. The suggested readings may range from general discussions on the nature of viruses and related threats, to technical articles which explore the details of various viruses, the mechanisms they attack, and methods for controlling these threats to computer security. BASIC TERMS The following list provides general definitions for basic terms that are commonly used throughout the applicable literature. Some of the terms are relatively new and their definitions are not widely agreed upon, thus they may be used differently elsewhere. Computer Virus: A name for a class of programs that contain software that has been written to cause some form(s) of damage to a computing system's integrity, confidentiality, or availability. Computer viruses typically copy their instructions to other programs; the other programs may continue to copy the instructions to more programs. Depending on the author's motives, the instructions may cause many different forms of damage, such as deleting files or crashing the system. Computer viruses are so named because of their functional similarity to biological viruses, in that they can spread rapidly throughout a system. The term is sometimes used in a general sense to cover many different types of harmful software, such as trojan horses or network worms. Network Worm: A name for a program or command file that uses a computer network as a means for adversely affecting a system's integrity, reliability, or availability. From one system, a network worm may attack a second system by first establishing a network connection with the second system. The worm may then spread to other systems in the same manner. A network worm is similar to a computer virus in that its instructions can cause many different forms of damage. However a worm is generally a self-contained program that spreads to other systems, as opposed to other files. Malicious Software: A general term for computer viruses, network worms, trojan horses, and other software designed to deliberately circumvent established security mechanisms or codes of ethical conduct or both, to adversely affect the confidentiality, integrity, and availability of computer systems and networks. The software may be composed of machine-language executable instructions, or could be in the form of command files. Unauthorized User(s): A user who knowingly uses a system in a non-legitimate manner. The user may or may not be an authorized user of the system. The actions of the user violate established security mechanisms or policies, or codes of ethical conduct, or both. Trojan Horse: A name for a program that disguises its harmful intent by purporting to accomplish some harmless and possibly useful function. For example, a trojan horse program could be advertised as a calculator, but it may actually perform some other function when executed such as modifying files or security mechanisms. A computer virus could be one form of a trojan horse. Back Door: An entry point to a program or system that is hidden or disguised, often created by the software's author for maintenance or other convenience reasons. For example, an operating system's password mechanism may contain a back door such that a certain sequence of control characters may permit access to the system manager account. Once a back door becomes known, it can be used by unauthorized users or malicious software to gain entry and cause damage. Time Bomb, Logic Bomb: Mechanisms used by some examples of malicious software to cause damage after a predetermined event. In the case of a time bomb, the event is a certain system date, whereas for a logic bomb, the event may vary. For example, a computer virus may infect other programs, yet cause no other immediate damage. If the virus contains a time bomb mechanism, the infected programs would routinely check the system date or time and compare it with a preset value. When the actual date or time matches the preset value, the destructive aspects of the virus code would be executed. If the virus contains a logic bomb, the triggering event may be a certain sequence of key strokes, or the value of a counter. Anti-Virus Software: Software designed to detect the occurrence of a virus. Often sold as commercial products, anti-virus programs generally monitor a system's behavior and raise alarms when activity occurs that is typical of certain types of computer viruses. Isolated System: A system that has been specially configured for determining whether applicable programs contain viruses or other types of malicious software. The system is generally disconnected from any computer networks or linked systems, and contains test data or data that can be restored if damaged. The system may use anti-virus or other monitoring software to detect the presence of malicious software. Computer Security: The technological safeguards and management procedures that can be applied to computer hardware, programs, data, and facilities to assure the availability, integrity, and confidentiality of computer based resources and to assure that intended functions are performed without harmful side effects. SUGGESTED READINGS Brenner, Aaron; LAN Security; LAN Magazine, Aug 1989. Bunzel, Rick; Flu Season; Connect, Summer 1988. Cohen, Fred; Computer Viruses, Theory and Experiments; 7th Security Conference, DOD/NBS Sept 1984. Computer Viruses - Proceedings of an Invitational Symposium, Oct 10/11, 1988; Deloitte, Haskins, and Sells; 1989 Denning, Peter J.; Computer Viruses; American Scientist, Vol 76, May-June, 1988. Denning, Peter J.; The Internet Worm; American Scientist, Vol 77, March-April, 1989. Dvorak, John; Virus Wars: A Serious Warning; PC Magazine; Feb 29, 1988. Federal Information Processing Standards Publication 83, Guideline on User Authentication Techniques for Computer Network Access Control; National Bureau of Standards, Sept, 1980. Federal Information Processing Standards Publication 73, Guidelines for Security of Computer Applications; National Bureau of Standards, June, 1980. Federal Information Processing Standards Publication 112, Password Usage; National Bureau of Standards, May, 1985. Federal Information Processing Standards Publication 87, Guidelines for ADP Contingency Planning; National Bureau of Standards, March, 1981. Fiedler, David and Hunter, Bruce M.; Unix System Administration; Hayden Books, 1987 Fitzgerald, Jerry; Business Data Communications: Basic Concepts, Security, and Design; John Wiley and Sons, Inc., 1984 Gasser, Morrie; Building a Secure Computer System; Van Nostrand Reinhold, New York, 1988. Grampp, F. T. and Morris, R. H.; UNIX Operating System Security; AT&T Bell Laboratories Technical Journal, Oct 1984. Highland, Harold J.; From the Editor -- Computer Viruses; Computers & Security; Aug 1987. Longley, Dennis and Shain, Michael; Data and Computer Security McAfee, John; The Virus Cure; Datamation, Feb 15, 1989. NBS Special Publication 500-120; Security of Personal Computer Systems: A Management Guide; National Bureau of Standards, Jan 1985. NIST Special Publication 500-166; Computer Viruses and Related Threats: A Management Guide; National Institute of Standards and Technology, Aug 1989. Parker, T.; Public domain software review: Trojans revisited, CROBOTS, and ATC; Computer Language; April 1987. Schnaidt, Patricia; Fasten Your Safety Belt; LAN Magazine, Oct 1987. Shoch, J. F. and Hupp, J. A.; The Worm Programs: Early Experience with a Distributed Computation; Comm of ACM, Mar 1982. Spafford, Eugene H.; The Internet Worm Program: An Analysis; Purdue Technical Report CSD-TR-823, Nov 28, 1988. Thompson, Ken; Reflections on Trusting Trust (Deliberate Software Bugs); Communications of the ACM, Vol 27, Aug 1984. Tinto, Mario; Computer Viruses: Prevention, Detection, and Treatment; National Computer Security Center C1 Tech. Rpt. C1-001-89, June 1989. White, Stephen and Chess, David; Coping with Computer Viruses and Related Problems; IBM Research Report RC 14405 (#64367), Jan 1989. Witten, I. H.; Computer (In)security: infiltrating open systems; Abacus (USA) Summer 1987.