THE FUTURE IMPACT OF VIRUSES


Making predictions about the future is dangerous.  Without the aid of a 
crystal ball, it is unwise to try and be too specific about what is 
likely to happen.  Nevertheless, since the seeds of the future are 
planted in the present, it is possible to make a broad assessment of 
future virus developments.

With regard to the desktop operating systems being used on the PC, the 
future clearly lies with Microsoft Windows, whether that be Windows 95 
and/or Windows NT; although it is also clear that DOS will be with us 
for some time to come.  To a considerable degree, therefore, the impact 
of viruses under Windows will define their overall impact on the PC 
world.

Within this context, macro viruses will almost certainly play a 
considerable part.  They have already had a marked effect.  Since the 
appearance of WM.Concept, in July 1995, we have seen around two dozen 
macro viruses.  WM.Concept alone currently accounts for around 50% of 
all virus reports to anti-virus vendors and researchers.  And while 
WM.Concept causes no damage to data, we have already seen the first 
[albeit faltering] steps towards macro viruses which threaten data.

Macro viruses, it should be noted, are not confined to Microsoft Word 
for Windows.  In January 1996, the first macro virus to infect Lotus 
AmiPro files [APM.GreenStripe] appeared.  And XM.Laroux, which appeared 
in July 1996, is the first working macro virus to infect Microsoft 
Excel for Windows spreadsheets.

The impact of macro viruses rests on three factors.

(1)  Macro viruses are written in WordBasic.  They are easier to write 
than traditional viruses [typically written using low-level programming 
tools].  As a result, virus writing is no longer the preserve of a 
comparitively small number of people.

(2)  Macro viruses infect document files.  Document files, to which 
macros are attached, provide viruses with a far more effective 
replication method than executable files.  Document files are exchanged 
far more frequently than program files.  Coupled with the increased use 
of e-mail [and the ability to attach files to e-mail], and mass access 
to the Internet [and on-line services like CompuServe and America 
Online], is likely to make macro viruses a much greater threat to
computer users than ‘traditional’ file viruses.

(3)  Macro viruses are not platform-specific.  There are versions of 
Microsoft Word for Windows 3.x, Windows 95, Windows NT and Macintosh.  
This makes all of these operating systems susceptible to macro viruses 
[although anything in a macro which makes use of calls to a specific 
operating system [as with the WM.FormatC macro trojan] will be 
restricted to that particular operating system].

However, macro viruses do not make up the whole picture.  Boot sector 
viruses, which currently make up around 70% of ‘in the wild’ viruses, 
are not about to disappear.  These viruses infect at boot-up, when an 
infected floppy disk is inadvertently left in drive A.  They infect at 
a BIOS level; that is, before the operating system loads.  This is true 
of any operating system . . . DOS, Windows [of whatever flavour], OS/2, 
Novell NetWare, etc.  For this reason, any PC is susceptible to 
infection from boot sector viruses.

Under Windows 95, boot sector viruses will [in most cases] go memory 
resident and successfully infect floppy disks accessed in the PC.  This 
is not the case under protected mode operating systems, like Windows 
NT, where the concept of a TSR [memory resident program] is anathema.  
However, data stored on PCs running these operating systems is still at 
risk.  Any damage routine triggered by a boot sector virus takes place 
[like the infection process] at a BIOS level, before the operating 
system has been loaded.  

Just as the spread of boot sector viruses will be more limited under 
Windows NT, the spread of traditional file viruses [the most successful 
of which are memory resident viruses] is likely to diminish.  However, 
this will have less of an impact on the wider picture; it should be 
remembered that ‘traditional’ file viruses [as distinct from macro 
viruses] represent only about 30% of ‘in the wild’ viruses.

It is worth remembering that the observations above relate to existing 
viruses, written during a period when DOS has been the principal 
desktop operating system.  And the viruses we have seen which infect 
Windows programs [for example, Tentacle or Boza] are not memory 
resident viruses.  However, a virus which is able to actively monitor, 
and intercept, disk or file activity, is able to spread more 
effectively.  It is not inconceivable that, at some point in the 
future, viruses will be written to do this.  It is much less 
straightforward to write such programs for non-DOS operating systems.  
However, anti-virus vendors are able to write programs to monitor disk 
and file activity under Windows NT.  Program code is program code:  if 
anti-virus programs can function in this way, virus programs can also 
be written to do so.

There is no reason to suppose that the number of viruses being written 
will diminish greatly.  There were around 7,500 viruses in July 1995; 
currently there are around 9,500.  It is difficult to say if this rate 
of growth will continue.  It is fair to say, however, that reports of 
the death of viruses have been ‘greatly exaggerated’.

©S&S International PLC - 20th August 1996