5- Why Are Boot Viruses So Common?Boot viruses are by far the most common viruses today, accounting for nearly 90% of all incidents in 2Q95. File viruses, on the other hand, have decreased in prevalence. This is a remarkable change. Several years ago, file viruses accounted for around 50% of all incidents. What could be responsible for this dramatic change? Was it Michelangelo Madness? No. That caused only a temporary depletion of viruses of all kinds. Michelangelo Madness explains the large peak in reported incidents, and the subsequent temporary decrease in incidents. It does not account for the difference in prevalence between boot infectors and file infectors. Is it due to the increased use of anti-virus software? As anti-virus researchers and producers of anti-virus software, we would certainly like to think so. It is tempting to conclude that anti-virus software has made a difference in the world, given our experience with the sample population, in which we have found that widespread usage of anti-virus software and central incident management substantially reduces the size of incidents within an organization [4, 5, 2, 6] Unfortunately, a closer look at our own data show that, while anti-virus software and policies can make a real difference within organizations, anti-virus software does not seem to have made as much of a difference to the world in general. All of the common viruses have been known for quite some time. All of them are detected, even by older anti-virus programs. If anti-virus software was responsible, we would have expected to see a decline in all viruses. The use of anti-virus software does not account for the difference in prevalence between boot infectors and file infectors. To find the solution to this mystery, we look once again at changes in the computing environment, rather than events associated with the anti-virus industry. The biggest change in the PC computing environment over the past several years has been the change from the use of native DOS to the use of Windows 3.0 and 3.1. Windows 3.0 was released in 1990, and started to become a popular enhancement to the DOS operating system. Windows 3.1, released in 1992, accelerated this trend. Today, a large number of PCs run Windows 3.1. How does Windows affect the spread of viruses? Experiments carried out at IBM's High Integrity Computing Laboratory demonstrated that Windows is a fragile environment in the presence of typical file viruses. In many cases, if a file virus is resident in the memory of a DOS system, Windows cannot even start. On the other hand, Windows behaves very differently on a system that is infected with a typical boot virus. For many boot viruses, an infected DOS system can not only start Windows, but can spread the virus to diskettes from within Windows. If Windows users get a file virus, Windows will typically be inoperable. This will cause the users to eliminate the virus one way or another, whether or not they realize that the system is infected. They might use anti-virus software. They might send their system out for repair. They might re-install everything from backups. Whatever they do, they will eliminate the virus because they cannot get back to work until they do. If Windows users get a boot virus, however, they might not notice it at all. Windows will usually start and function as expected. Unfortunately, the virus will typically spread to non-write-protected diskettes that are accessed from within Windows. In this sense, most boot viruses are not affected by Windows, and spread in just the same way whether the user is running DOS or Windows. Unless users have good anti-virus software, they will not usually have any reason to suspect a problem, and hence no reason to get rid of the virus. This environmental analysis led us to predict, in 1994, that boot viruses would continue to increase in prevalence, oblivious to the use of Windows. Similarly, we predicted that file infectors would continue to decrease in prevalence. Furthermore, we predicted that boot viruses that were not then very prevalent would become more prevalent, while few file viruses would [16]. This is exactly what has happened. Figure 5 illustrates the dramatic rise of boot virus incidents over the past several years, and the corresponding dramatic decrease in file virus incidents. Several boot viruses that do spread from within Windows, including AntiEXE and AntiCMOS, were low in prevalence in 1994 but are now substantially more prevalent. As shown in Figure 6, they are approaching the prevalence of more common boot viruses like Form. Once they increase to this level of prevalence, we would expect them to reach equilibrium and not increase further in prevalence.
|