Computer Virus Scare Nothing More Than Hype?

Remember Michelangelo, the supposedly lethal computer virus outbreak in early 1992 at one time projected to infect 500 million computers worldwide? It fizzled, infecting thousands of machines and embarrassing scores of experts who had dredged up AIDS analogies ad nauseam in predicting a new, more dangerous era of computing.

The dire predictions simply did not come to pass -- although plenty of companies, even by their own admission, profited handsomely from the sale of anti-virus packages of one sort or another.

"Very little happened as a result of Michelangelo," said Dennis Steinauer, a computer scientist at the National Institute of Standards and Technology. "It was a cry-wolf situation. Computer viruses are, at best, a nuisance."

The hyping of Michelangelo might offer an interesting footnote in the history of computing -- an object lesson in how not to present a highly technical subject to the general computer-using public.

But virus scares continue to surface. Computer security experts say their persistence may raise questions about the professional conduct of those involved, particularly as specialized anti-virus companies reap sales and profits from viruses which almost never seem to live up to their advance billing. The companies, of course, claim that use of their anti-virus scanning software is at least partly responsible for squelching big virus outbreaks, and organizations do lose millions in valuable data due to damage caused by viruses. Even experts such as Steinauer admit there is truth in that claim.

But some incidents give pause for reflection. Consider the following example: After making an appearance in the local Michigan press, a story about a supposedly undetectable virus called "Junkie" appeared in United Press International on June 14. "A new breed of computer virus that outsmarts anti-virus software has cropped up nationwide," noted the story, quoting a computer security expert in Ann Arbor, Mich., who said Junkie belongs to a new breed of virus "far more dangerous than the well-publicized 'Michelangelo' virus."

The virus, according to the article, is able to encrypt itself and even mutate its code after each infection, making it undetectable by most conventional anti-virus devices.

The consultant, Jim Shaeffer, is said to have reported the virus to Frank Horowitz, president of virus protection firm Reflex Inc., in Brier, Wash, which just so happened to have an anti-Junkie fix called Thunderbyte.

National Public Radio chimed in with a story about this new breed of undetectable viruses. And anti-virus providers, quick to sense an opportunity to make a killing, issued press releases announcing their own anti-Junkie solutions -- in one case, just one day after the UPI story came out.

But there are important facts missing from the UPI story. For starters, Reflex, two weeks previously On June 1, had issued a press release announcing a new breed of virus, including Junkie and another virus called Smeg. So the company itself had actually been the source of the story, which had also appeared first in an Ann Arbor, Mich., local newspaper June 7.

Even more, the consultant quoted in the UPI article just so happened to be a distributor of Reflex's products -- a point the article fails to mention. On June 9, Shaeffer mentioned his discovery of the Junkie virus -- and the local newspaper story on it -- in a posting on Compuserve, along with a plug for Reflex's anti-virus software as the only appropriate fix.

All of this would probably be understandable -- if Junkie had subsequently come close to being that new breed.

But reports of Junkie infections since the UPI story have been minimal, a fact even Reflex's Horowitz acknowledges. In an interview last week he admitted he had not "heard a lot of instances of Junkie infections."

Jonathan Wheat, a consultant for The National Computer Security Association, said his office has received few reports of the virus, which "was kind of hyped."

"This was completely driven by the vendor trying to create awareness, and the media latched onto it," said Mark Corker, with McAfee Associates, a computer security company.

NIST's Steinauer, for one, is tired of the hype. "NIST has not been aggressively involved in the area for one-and-a-half to two years," said Steinauer, referring to precisely the time of the Michelangelo scare. "Frankly, we've gone on under the assumption that [the anti-virus] industry as a whole can do the job."

If anything, Steinauer sees the real impact of viruses in the sociological and psychological spheres, as a kind of urban mythology driven by reporters in search of the Big Story and eager consultants and computer security firms on the hunt for big profits.

The latter can count on a generally low state of computer literacy among reporters, who lack the expertise needed to sort out reality from hype. For instance, the Michelangelo story emerged largely from a misquote of computer security industry figure John McAfee, who unwittingly gave reporters a range of machines that could possibly be afflicted -- from hundreds to millions. Reporters chose the higher numbers, making millions of computer infections a working assumption among the thousands of journalists and newspapers that leapt onto the story.

Steinauer himself appeared on Macneil Lehrer during the Michelangelo virus scare. Before that he advised the show against doing the story.

Like other computer security professionals, Steinauer is focusing on more pressing threats -- how to protect the Internet and its cyber-denizens from hackers and unauthorized travelers, for instance.

"In reality, computer viruses don't spread like the common cold. They aren't intelligent. They don't hate you, and it's not even very difficult to avoid most exposures," according to the preface of the second edition of The Computer Virus Crisis, an account of the virus problem somewhat less alarmist than its title.

The book notes that 95 percent of all security problems with computers stem from human error. The most egregious examples of data loss come from disgruntled employees and insiders with special access, a problem no technology can probably fix. Of the remaining five percent of computer security breaches, viruses represent only a tiny portion. Routine measures such as not using pirated software, swapping disks, and downloading software from bulletin boards should eliminate most problems. And providers of operating system software such as Microsoft now often bundle anti-virus detection into their systems -- much as all cars include safety belts.

What's more, increased awareness, when combined with relatively simple precautionary measures, seems to avoid most virus problems. For example, during the second quarter of 1992, just before and after the Michelangelo virus scare, a two-fold drop in reported virus incidents occurred -- mostly because of increased use of anti-virus scanning software.

Still, Horowitz of Reflex remains unrepentant. "My intent [in releasing the June 1 press release] was to create awareness of the virus issue, that they continue to be developed and the technology most organizations rely on is not sufficient to detect them." As with the AIDS epidemic in the early years, no one recognized the disease because it had not yet been diagnosed. So too with new computer viruses: People aren't finding them because they don't know what to look for. "I don't freak out when I hear about outbreaks of tuberculosis. I've been inoculated. But I do fear AIDS," said Horowitz.

Some still believe in the virulence of viruses

Not everyone -- mostly computer virus consultants and vendors -- is willing to downplay the virus threat. A study sponsored by Symantec, using data culled from IBM, the National Computer Security Association and the market research firm Dataquest, pegged losses from computer viruses in the United States at $75 million in 1990, $342 million in 1991, $694 million in 1992, $1.3 billion in 1993 and a projected $2.7 billion in 1994. Those losses are calculated from a survey of 600 companies with 618,000 PCs. The estimated money spent recovering lost data at those companies was expanded for an estimated population of 134 million PCs in 1994.

Symantec is in the business of producing anti-virus software.

Given the accuracy of these figures, viruses would still seem to be a threat. Meanwhile, the number of viruses continues to balloon. According to the National Computer Security Association about 4,600 viruses are thought to exist, up 2,000 or so from a year earlier.

So what are viruses? Like their biological counterparts, viruses attach themselves to other things -- a computer program -- and reproduce. They are lines of code that execute certain functions, such as displaying the words "Peace", when their host programs run. The physicist Stephen Hawking, at the recent MacWorld show in Boston, even argued that viruses are a legitimate life form and should be treated as such.

There is also a new wrinkle to the virus threat in current talk of "intelligent agents", "digital butlers", "knowbots" and other such devices designed to capture, filter and even delete online information for their owners. These devices hold forth the promise of sorting out the increasing clutter and gridlock on the world's information superhighways. But there may be a more ominous side to such a program, which, like viruses, attaches itself to other computer systems and cause those systems to do its programmed bidding. John Markoff, a computer reporter for the New York TImes, wrote in the March/April issue of the association magazine Educom, "Telescript -- General Magic's telecommunications language -- is really just a virus design lab in disguise permitting me to launch a program that runs on your computer. What does it do? Can I control it? AT&ampT's executives have already acknowledged that they're not certain they can contain the technology."

A more concrete expression of this problem emerged following the April "Green Card" controversy, as it has become known. An Arizona law firm called Canter &amp Siegel broadcasted advertisements to more than 6,000 Internet news groups, earning the wrath of Internet purists.

Partly in response to such perceived violations of Internet's non-commercial ethos, a Norwegian programmer built a device called a "cancelbot" to hunt down and erase unwanted advertisements. But it could just as easily be used to hunt down and cancel information of any sort -- including sensitive government documents or business transaction information zapped over Internet byways.

Dennis Steinauer, a computer scientist at the National Institute of Standards and Technology, sees another potential danger in the virus phenomenon: from the actual detection programs built to analyze systems and detect weaknesses. These programs can, at least theoretically, be used to search for weaknesses in computer systems, thereby providing a powerful tool for those wishing to debilitate them.

--Andrew Jenks