The New York TimesSunday, January 31, 1988. Business Section, Pages 1 and 8

Computer Systems Under Siege

'Virus' programs that can elude most barriers have begun to infect computers around the world.

by Vin McLellan, BOSTON

It could be a science-fiction nightmare come to life. In the last nine months, computer viruses- which could subvert, alter or destroy programs of banks, corporations, the military and the Government- have infected personal computer programs at several corporations and universities in the United States as well as in Israel, West Germany, Switzerland, Britain and Italy.

Security experts say they fear terrorists, hackers or even practical jokers could invent viruses that would wreak havoc in the computer world- and in the business and military operations that have become so dependent on it.

"The dangers of viruses and some of these other computer attacks are just unbelievable," said Donald Latham, executive vice president of the Computer Sciences Corporation and former Assistant Secretary of Defense who ran a Reagan Administration program to increase security in civilian and Government computer systems. "The threat is more serious than most people think; no one can say enough about it."

Like its biological counterpart, a computer virus can be highly contagious. It has the capability of instantaneously cloning a copy of itself and then burying those copies inside other programs. All infected programs then become contagious and the virus passes to other computers that the software comes into contact with. Virus infections also can be transmitted between computers over telephone lines. A single strategically placed computer with an infected memory- say a personal computer bulletin board - can rapidly infect thousands of small computer systems.

The most virulent outbreaks so far have occurred in personal computers. But security experts say the greatest risk would come from infected large computers, such as those governing the air traffic controllers' system or the Internal Revenue Service.

"The basic rule is, where information can go, a virus can go with," said Fred Cohen, a University of Cincinnati professor who has been doing research on viruses since 1983.

According to Dr. Cohen, research that he did in 1983 and 1984 has shown that most mainframe computers can successfully be subverted within an hour. And networks- even a huge international network with thousands of computers spread over continents- can be opened up to an illicit intruder within days, he said. The possibility of computer networks becoming a primary medium for subverion and warfare- the "software" depicted in a dozen classic science-fiction thrillers- "has become much more real," Dr. Cohen said.

What further complicates the problem is the fact that the virus can evade the normal controls and barriers that all computers, even those at secure military installations, use to control who has access to information available through the computers.

"A virus is deadly because it can jump- actually slide right through - the barriers everyone uses to control access to valuable information," said Kenneth Weiss, technical director at Security Dynamics Technology Inc., a computer security company in Cambridge, Mass., and chairman of the computer security division of the American Defense Preparedness Association. "The solution is to put a wall with good solid gates around the jungle- most computers still have the equivalent of a sleepy guard at the door. But the larger problem is how to secure the system against people who have legitimate work inside."

One of the early warnings about the threat of computer viruses was raised in a paper given by Dr. Cohen at a computer conference in Toronto in September, 1984. It drew wider public attention in March 1985, when Scientific American magazine published a letter from two Italian programmers in the Computer Recreations column that gave a virtual blueprint for virus that could attack small personal computers.

Only in the last nine months, however, have actual reports surfaced concerning virus infections, including infections striking personal computer programs used by IBM employees on the East Coast, and others at Hewlett-Packard, Apple Computer and several small companies in the San Francisco area, according to security consultants.

College administrators report widespread virus infection in personal computers used by students and faculty at the University of Delaware and Lehigh University in Bethlehem, Pa. Other reports of infections have come from the University of Pittsburgh, the University of Maryland and George Washington University. Personal computer user groups have also reported infections in Florida, Colorado, New Jersey and New York.

"It's apparently going to be the game this year to see who can come up with the deadliest virus," said Dennis Steinaur, a senior security specialist at the National Bureau of Standards, which promotes computer security in non-military Federal agencies and the private sector. "We're all very vulnerable." Yet he said that the bureau planned no immediate recommendation on the virus threat. "With limited resources," he said,"we like to put our priorities in areas where solution.

Other reports of viruses are coming in from other areas. Security experts at SRI International in Palo Alto, Calif. recently said they had learned of a mainframe computer in San Francisco area being subverted by a virus. Computer & Security, the journal of the security group IFIPS, a leading international association of computer professionals, last winter reported several major incidents of virus attacks on big mainframe systems "in Western Europe." Rumors regarding an alleged virus attack on two IRS Univac computers in Philadelphia two weeks ago have been vehemently denied by IRS officials. The system was taken off line they said, strictly for maintenance.

Viruses now circulating in the United States were designed to eventually destroy data in IBM and compatible personal computers, the Apple Macintosh and Commodore Technology's Amiga, according to a company officials and employees. In almost all of the reported cases, the virus codes were overtly malicious.

One of the most troubling reports has come from Israel where an infectious virus code was spread widely over a two-month period last fall and was apparently intended as a weapon of political protest. The code contained a "time bomb" that on Friday, May 13, 1988, would have caused infected programs to erase all stored files, according to Yuval Rakavy, a student at Hebrew University, who first discovered, then dismantled the virus code.

May 13 will be the 40th anniversary of the last day Palestine existed as a political entity. Israel declared itself independent on May 14, 1948.

Mr. Rakavy said there had been rumors, that a virus was circulating in Israel before he was asked on Dec. 30 to help a friend understand why his personal computer was not working properly. When I got to see it," he said, "I knew immediately what it was, I've known about viruses for several years.," he added, referring to the Scientific American letter.

While it awaited its May 13 trigger date, said Mr. Rakavy, the Israeli virus was already instructing the computer to slow to one-fifth its normal speed some 30 minutes after it was turned on, and from "time to time put garbage on the screen."

Yet it was not the irritation with the speed or screen problems that finally called attention to the infected code, said Shmuel Peleg, a professor of computer science at Hebrew University. The "code bomb" was only discovered because of an error in the virus program caused it to mistake previously infected programs as uninfected. Then, in error, it would add another copy of itself to the program. "Supposedly unmodified programs were growing," flooding disk memories, he said. "We had programs which had been infected 300, 400 times."

A spokesman for Hebrew University, Yisrael Radai, called the infection "the most devastating thing we have come across." He said ," thousands of computer files were at risk."

Israeli officials suggested a "Friday the 13th" coincidence, but Mr. Rakavy said the virus was coded to ignore Nov. 13, 1987. At the time, the Israeli press quoted many Israeli computer executives who spoke of panic among customers and peers. That concern is still being voiced, although the Israelis have widely circulated an immunity program to kill the virus.

Richard Schwartz, a vise president of ANSA Borland International Inc., a software company in Belmont, Calif. said he was visiting Israel at the end of the year and was given software samples by an Israeli programmer. Days later, he said the programmer called, warning that the program contained the Israeli virus. "We were going to play with the virus here," said Mr. Schwartz, "just to see how it worked. But I finally decided I didn't want to take any risk."

"The virus discovered at Lehigh University was typical of others that have surfaced in the United States. It attached itself to a few lines of the operating system used on the IBM PC'S that the college provides for student use . It then counted the number of new magnetic memories- hard or floppy disks- that it infected. When the count reached four, it immediately erased all programs and data it could reach. "IT was pretty juvenile coding," said Kenneth van yk, a Lehigh administrator, "but students may have lost a lot of work."

Another university-based virus raised more questions. Buried within the code of the virus discovered at the University of Delaware was an apparent ransom demand: "Computer users who discovered the virus were to send $2,000 to an address in Pakistan to obtain an immunity program, according to Harol Highland, an Elmont, N.Y. consultant who studies viruses. The Pakistani contact was not identified.

"It's like a fantasy of being a terrorist without the blood," said Eric Corley, editor of a national hacker newsletter, 2600, whose electronic bulletin board was infected.

On a more theoretical level, viruses could provide weapons in corporate infighting and could affect production. "The classic scenario is a vice president using a virus to taint the programs and tools the company the company uses to plan and make projects, making the president look bad and hoping that they'll replace him," Dr. Cohen said. "The same potential exists among fighting executives or competing companies. One company could infect the process controller a competitor uses to govern steel production- with the result that the steel would be of an inferior grade. That sort of subtle sabotage could be very very difficult to recognize."

Concern about viruses has spread well beyond the computer industry. Officials at several affected colleges said they had been contacted by a representative from the National Security Agency, the Pentagon agency responsible for the security of classified Government computer systems and electronic spying abroad, and asked for details about virus codes. Since 1985, the NSA. and various military groups have spoken wi in several classified conferences about the risk of virus attacks at Government computer installations.

The first, at the National Bureau of Standards in January, "pretty much of an 'ain't it awful' afraid," recalled Andrew Goldstein, a senior consulting engineer at the Digital Equipment Corporation. "Then- and still - I'M afraid, no one really knows what to do about viruses. None of the existing mechanisms for security deal with them very well."

William H Murray, a security consultant at Ernst & Whinney and former IBM spokesman on security issues, said efforts to contain viral infections were hampered by "all the things you have to do in the face of a viral attack.," such restricting the exchange and sharing of information. Those things, he said, "are almost as disruptive as the attack."

Although he conceded that "there are no general defenses against the virus attack," he stressed that this doesn't the worst will happen ." For most people- even most businessmen - the world is a fairly benign place," he said. "Most of us want the world to work, or the temptation to bring it down is not so great that most people don't resist it." He stressed that although "the virus vulnerability results from our desire to share data and programs, vulnerabilities do not necessarily equate to problems. We've got all sorts of vulnerabilities in our society that no one is exploiting."

One reason viruses can thrive is that industry has widely adopted networks between computers to foster profitability, cooperation, and information sharing, despite the fact that these links have generally weakened security at each computer's point. Efforts to foster productivity also led to widespread adoption of personal computers, but that has depended in large part on free distribution of thousands of public domain programs.

There is a growing awareness of the virus threat among computer professionals, in part because publicity about an automatic chain letter that flooded a major IBM computer network late last year. Written by a West German student, the device looked like a computerized Christmas card. But when it was run, it secretly reached into computer files and sent copies to everyone who had exchanged messages with the person running it.