Computer Viruses: The Risks Posed to CPAs and How to Deal with Them

During the past year, the destructive potential of computer viruses has been exposed. Articles have appeared in major newspapers and magazines documenting actual instances of virus-induced damage to data, programs, and even computer hardware. Successful virus attacks have been reported on everything from microcomputers to mainframe networks, and have infected such noted establishments as IBM, Apple Computer Corp., NASA, and the Pentagon. Additionally, research in the field of computer engineering has proven that no computer system where sharing takes place is immune to a virus attack.

The risks posed by computer viruses are especially acute for accountants in public practice. Accountants face two threats. First, there is the threat that the accounting firm's computer systems could contract a virus that would result in damage to the firm's programs, data, and/or equipment. Second, because of the interactions public accountants frequently have with their clients' computer systems, there is the threat that the firm might inadvertently spread a virus to one of its clients. Such an event could have disastrous consequences for the firm.

Is the Threat Real or Just Media Hype?

The nature and variety of successful virus attacks reported during the past three years provide convincing evidence that the attacks pose a real and potentially serious threat. The "Brain Virus," for example, was reported to have infected floppy disk computer systems at hundreds of universities and businesses throughout the U.S., and is still spreading. The "Lehigh Virus" has the capability of spreading to both floppy and hard disk microcomputer systems. It has caused a significant amount of damage to data. Even large computer networks have not been immune to virus attack. Two years ago, IBM's international electronic mail network was slowed to a halt by the "Christmas Virus." Apple Computer Corp.'s Compuserve Network was victimized by yet another virus. One of the most widely reported virus attacks involved the Pentagon's ARPANET system.

The potential for viruses to cause harm is probably best illustrated by the virus reported at Hebrew University, Jerusalem. This virus was specifically designed to attack the University's computer network, which served several important government and military installations. It carried a time-bomb program that was set to erase all infected files on a preset date. Fortunately, because of a programming error in the virus, it was detected and dismantled before any destruction occurred. However, in the investigation, the virus was found to have infected literally hundreds of thousands of files throughout the network and would have caused irreparable harm had it not been detected before the detonation date.

Do accounting firms have to worry about computer viruses? Consider the following scenario:

A staff auditor on an

engagement takes one of the firm's

compact PCs home at night. Despite

firm policies against unauthorized

use, the auditor's son uses the

computer to run a game program he

got from a friend at school. The

game program contains a virus

similar to the "Lehigh Virus," which is

capable of spreading to floppy and

hard disk systems. When the game

program is run, the virus

immediately installs itself into the

computer's operating system in RAM.

Later, the son wishes to learn

Lotus. Rather than rebooting the

computer, he merely pulls up the Lotus

program from the computer's hard

disk. Since the virus is already

resident in RAM and the hard disk

has been accessed, the virus is able

to infect files on the hard disk.

Assuming this virus is typical and

is programmed not to cause

damage until it has run several times,

the auditor has no reason to

suspect its existence. The next day at

work, the auditor shares infected

files with other auditors and

spreads the virus even further. The

delay damage feature still does not

trigger and protects the virus from

detection. Later in the week, one of

the auditors uses an infected

program to upload audit software onto

a client's microcomputer network

and spreads the virus to the client's

system. By the time the delay

damage feature activates and exposes

the virus, it has spread to hundreds

of files and the potential for

damage is enormous.

Based on the evidence, it seems reasonable to conclude that viruses pose great risks to CPAs. This being so, it would seem prudent for anyone using computer applications, whether microcomputer or mainframe, to institute precautions against virus attacks.

What Are Computer Viruses?

A computer virus is a computer program that has the ability to copy itself to other computer programs or data files. That is, the virus program code is added to the code of some "legitimate" program. As a result, whenever a user invokes the legitimate program, the virus program is also run.

Viruses can be designed to attach themselves to any executable program or data file or may be written to attach themselves only to very specific files, such as the "command.com" program in the DOS operating system of a microcomputer. For example, the "Brain Virus," mentioned earlier, functions by attaching itself to the boot sector of DOS floppy disks. When the computer is booted with an infected disk, the virus enters RAM and essentially takes control of the operating system. Whenever a floppy disk operation is invoked, the virus commands instruct the computer to search the active disk drive for an uninfected disk and, if found, to copy the virus instructions to its boot sector. The newly infected disk then serves as an additional agent for spreading the virus.

Writing a virus program is not necessarily a complex endeavor. For example, proper coding of the instructions in lines 1-6 below would construct a virus that would infect all sup.*.exe" files in disk drive A:

1 "virus codename"

2 If all sup.*.exe files on drive A have

been read GOTO line 7, else

continue

3 Read file i on drive A (i = 1, 2

...n)

4 If file i contains "virus

codename" return to line 2, else

continue

5 If file i is an .exe file, Copy lines

1-6 to the beginning of file i

6 Return to line 2.

7 sup.* first instruction of legitimate

program file invoked by user.sup.* Line 1 contains a special virus program identification so that the virus will not infect the same program twice. Lines 2 and 3 instruct the computer to read all sup.*.exe" files accessible through disk drive A. Once all the files have been read, line 2 instructs the computer to return to the regular program (i.e., the one the user intended to execute). Line 4 checks each program for the special virus codename in Line 1 to see whether the program already contains the virus. If the program does not already contain the virus, Line 5 directs the computer to attach the virus commands, lines 1 to 6, to the program.

The virus program itself is not what presents the real danger; rather it is the virus program's ability to carry additional undesirable programs with it. For example, it would be possible to include with a virus a program designed to erase the entire contents of a disk, or a program to override specific security controls, or even a program to destroy hardware components.(1)

With today's sharing of computer resources, a virus can spread rapidly. With one execution, a virus program can infect every program or data file that is directly accessible. For example, the virus could instruct a PC to search its own disk drives, including the hard disk, for executable files, and even to search the disk drives of other computers with which it is networked. Additionally, when a user shares an infected file with another user, the new user exposes his/her entire system to the virus. As can be imagined, this could lead to widespread infection by the virus in a very short time.

Widespread infection is aided by programming a delayed reaction feature into the virus. That is, writing the program so that the virus will not cause observable damage until some time in the future. This way the virus does not call attention to itself until it has had sufficient time to propagate itself many times. For example, a virus might be programmed to erase all of the data on a disk only after the virus program has been invoked 20 times. Since an infected user would not have any reason to suspect the virus's presence, the program would be allowed to run 20 times. On each of the 20 runs, the virus would infect other files, each having the ability to, in turn, spread the virus. By the time the first overt virus reaction occurs, there could be thousands of infected files, each one spreading the virus even further.

Another feature that aids virus spread in today's computer society is the ability to lie dormant on backup copies of files. When a user backs up a file to which a virus is attached, the virus will also be backed up and stored. Long after an active virus has been detected and supposedly eradicated from the system, it could be reintroduced to the system all over again when a backup copy of a program, infected with the virus, is put into use. What is ironic, is that backing up program and data files is a major control procedure for protecting against virus damage, yet it is also a major factor in protecting a virus from extinction.

What Can Be Done to Protect Against Virus Attacks?

Whenever users have the ability to share information with other users, there is a possibility of virus spread. For example, a user of the firm's spreadsheet program might alter a file on the disk and pass it along to another person. This is the type of sharing that could facilitate the spread of a virus. With sharing, viruses can spread from user to user.

Back Up All Work. Backing up files on a regular basis will help eliminate the possibility of viral damage. If programs or data files used in day-to-day operations are damaged due to a virus, the backup copies can be used to replace them.

There are two important factors to keep in mind when using a backup strategy to minimize viral damage. First, the backup copy may be infected with the virus. If a virus has been found on the operating copy of a file, it would be advisable to closely examine the backup copy for the same virus. The second factor is that backup copies may have to be kept for a longer period of time than is considered necessary under current policies. This is because of the potential virus time bomb feature that could delay virus damage until months or even years have passed. In the meantime, some of the backup files may have been destroyed. Any backup policy should consider this problem and be capable of reconstructing all necessary files.

Use Write Protection Devices on All Executable Files. Write protecting an executable file prevents it from contracting a virus. This is because write protection controls prohibit any alterations, including the attachment of a virus, from being made to the file. Floppy disks are write protected by either placing a piece of tape over the notch in the corner of the disk or buying disks having jackets without such a notch. For hard disks and networks, special software such as Disk Defender by Director Technologies, Inc., can be used to write protect program files.

In some instances, it may be desirable to use hard disk locks to protect files on the hard disk from being altered. Locks on the hard disk drive prevent it from functioning, meaning that nothing can be read from or written to it including a virus. Although this control is obviously not practical during normal use of the computer, it would be useful in preventing virus attacks occurring as a result of unauthorized computer use.

Although the use of write protection devices provides some control against computer viruses, they can usually be bypassed without much difficulty. For example, any user could easily remove the tape from a floppy disk or, if accessible, turn off the write protection software defending a hard disk or network. Additionally, software engineers have found that some of the black write protection tape provided by disk manufacturers is transparent to ultra-violet light and actually fails to offer write protection. Because of the ease with which write protection controls can be circumvented, it would be wise not to place too much reliance upon them as a control against computer viruses.

Buy Software from Reputable Dealers and Only Use Copies of the Software that are Made from a Protected Master Program. All software should be obtained directly from reputable vendors in manufacturer's sealed packaging. The master program disk supplied by the vendor should immediately be write protected and should only be used to make copies of the program. Only copies made from the protected master program should be used for actual applications. This procedure is designed to ensure that clean master programs purchased from vendors do not become infected with a virus.

There are two limitations inherent in the above policy. First, the policy assumes that software purchased from a reputable vendor in manufacturer-sealed packaging is virus-free. This is usually a safe assumption, but there have been reported instances in which major software suppliers have inadvertently sold virus-contaminated products.(2) The second limitation is that the policy does nothing to insure that a copy of a program made from a clean master will remain virus-free. The copy of the program may become contaminated after it has been produced.

Turn Off and Reboot PCs with a Clean Operating System Between Applications. Turning off the PC's power clears RAM and, thus, any virus that might be residing in it. For example, if a user runs a spreadsheet program containing a virus and follows it with an application requiring a statistics program, the virus could be spread to the statistics program. By clearing the machine's RAM between these two applications, the threat of the virus spreading would be eliminated. It should be noted that simply rebooting the machine between applications is not enough, the machine must be switched off to ensure that RAM is cleared.

The operating system (e.g., DOS) serves as an excellent host and medium for transmitting a virus and therefore needs special attention. Because the operating system's subroutines are frequently invoked during most computer sessions, if it contains a virus, the virus will have ample opportunity to spread itself. Therefore, it is important to ensure that the operating system is clean. Some recommendations are to:

1. Copy the operating system only to boot disks (i.e., do not produce selfbooting programs, or format a data disk with the operating system on it);

2. Prepare all boot disks only from an original master disk that has been properly protected from contamination and

3. Write protect all boot disks to prevent a virus from inadvertently being copied to it.

Make Sure all Employees are Aware of the Risks Associated with Running "High Risk" Software on Company Computers, and that they Exercise Extreme Caution in this Regard. Any software whose origination is unknown should be considered a high risk. Most common in this category are such things as freeware obtained from electronic bulletin boards and pirated copies of programs. Extreme caution should also be exercised with anything brought home from schools. Many of the reported virus attacks have originated at schools.

With regard to high risk software, most experts would recommend forbidding its use on any of the company's computers. However, in accounting firms where employees often work after hours or are permitted to take the firms' computers home, such a policy cannot realistically be enforced. In such cases it is probably better to inform employees of the risks involved with viruses and how they might safely use such software.

High risk software should be used carefully and, in most cases, only on stand-alone computers without hard disks. It should never be used on mainframes, personal computers with hard disks, or networks of any type; unless there is complete assurance that all on-line files cannot be altered. For example, files on a hard disk would be protected if a write protection program is properly functioning.

When using high risk software, the computer should be booted and the boot disk removed prior to running the software. Only the disk containing the software should be accessible to the machine (i.e., do not leave a disk containing legitimate program files in drive B). Any data disk used when running the high risk program should be reformatted before it is used for any other applications. After running the program, the computer should be switched off prior to running any other applications. Merely rebooting the computer is not enough. It must be completely switched off to prevent any virus residing in RAM from later infecting other files.

Engage a Reputable Computer Security Consultant to Review and Recommend Control Procedures and Devices for Mainframe Computer Operations. Most mainframe computer systems have several unique characteristics that make it meaningless to suggest a general set of control procedures and devices that might be implemented to control for computer viruses. What might be appropriate for one system may be useless on another. Therefore, it is recommended that a computer security expert be employed to analyze the system's current controls and, if necessary, to design and implement additional controls. Even if an in-house computer security expert is available, it might still be worthwhile to hire an outside consultant with computer virus knowledge.

In addition to hiring consultants, it would be advisable to monitor current developments in virus security as they pertain to the firm's mainframe operation. One source of such information would be the vendors associated with the system's major hardware and software components. Another good source of information would be periodicals that specifically deal with computer security.

Employ Products and Procedures to Detect Virus Infection. One way to minimize potential virus damage is early diagnosis. If spotted early enough, it is possible to prevent further virus infection and possibly prevent any damage to files already infected.

A procedure that could be employed to search for virus infection is making periodic comparisons of the present status of files with their expected state. This would essentially consist of running a periodic check on file directories and comparing the file names and sizes with pre-established parameters. Viruses operate by attaching additional program instructions to executable files which increase their size. Therefore, any unexpected increase in file size or an alien file name might signal a virus.

There are also software products available that constantly monitor files for virus infection. Crypto-Checksum, for example, was designed as a virus detection program.(3) This particular product is superior to the procedure described in the above paragraph for two reasons. First, it uses a cryptic summing routine which would detect not only an increase in the size of a file but also any change in content of the file. This would detect even a sophisticated virus that is designed to erase part of a file so that its attachment does not alter the file's size. Second, it provides constant monitoring rather than only periodic monitoring. This should ensure earlier detection of a virus and a better chance to minimize potential damages. The major drawback of the above product is that it requires CPU time to perform its checking routine every time a file is accessed or replaced. This could slow processing time significantly.

Use Antidotes for Known Viruses. Once the nature of a virus is known, writing or obtaining an antidote program is usually fairly easy. An antidote is a program that searches files for the specific coding contained in a known virus and, when found, renders it harmless. Often antidotes are provided free on electronic bulletin boards or from previously infected users. Some potential sources of information regarding the nature of viruses currently spreading in an area, and available antidotes, are local computer clubs, software vendors, and local and national computer publications. Caution should be exercised when using virus antidotes, however, because they themselves might be carriers of a different virus.

Minimize Potential for Damage if Virus Infection is Suspected. The only recommendation here is to shut down the system until remedial procedures can be taken. There should be no attempt at the point of discovery to backup the infected files. This is because the process of backing up may pull the trigger on a time bomb being carried by the virus and cause damage. At the very least, the virus would be stored on the backup and may unexpectedly be reintroduced to the system at a later time. If there is a question regarding the appropriate remedial procedures that should be taken, it would be wise to consult an outside expert.

(1)In one reported virus attack, a company in Silicon Valley reportedly experienced terminal fires as a result of a virus-introduced program that changed CRT monitors' cycling speeds. (2)Last year, Commodore Computer Corp. reported that a virus infected its legitimate distribution system for the Amiga Computer and, as a result, thousands of infected programs were inadvertently produced and sold. (3)Cohen, Fred "A Crytographic Checksum for Integrity Protection," Computers & Security Vol 6 (1987) pp. 505-510.

James D. Cashell, PhD, CPA Miami University Oxford, OH Jeri B. Waggoner, PhD, CPA University of Cincinatti