Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: frisk@rhi.hi.is (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Re: Dead vs Live: Commercial Necessity??
Message-ID: <0011.9105211425.AA07798@ubu.cert.sei.cmu.edu>
Date: 21 May 91 07:42:12 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 62
Approved: krvw@sei.cmu.edu

PH461A04@VAX1.UMKC.EDU (Jonathan E. Oberg) writes:
>QUESTION: Will new live viruses spread effectively without new
>techniques??

Yes - just consider viruses like Telecom (stealth/boot sector), Azusa
(stealth/boot sector) and Tequila (steaLth/program) - all of which are
quite recent, use no radical innovations, although they are all quite
intersting from a technical point of view, and spreading quite
rapidly. However, around 90% of all new viruses no not spread much, if
at all.

My opinion is that...

        ...The number of new virus variants is growing exponentially.
        ...The number of new virus families is also growing exponentially,
           but at a much slower rate.
        ...The number of "successful" new viruses has been constant
           for a while, or growing very slowly - I don't think that
           more than 5 "successful" viruses appear per month, even though
	   the number of the number of new variants is nof 60-100 per
           month.
        ...The number of virus infections is more-or-less stable - no
           significant increase, despite all those new viruses.

>With the increase of scan/resident/other virus programs, and a
>significant decrease in the time between when a virus is detected and
>the information on that virus is published, the time a virus has
>available to spread is shortened, perhaps below the critical level
>necessary for success.

One problem - people will often use outdated anti-virus software. Here
in Iceland anti-virus software has been sold on 10-20% of all MS-DOS
machines, and probably pirated on additional 30-40%.  As a result,
infection reports had practically stopped.  Last month, however, Asuza
arrived here and has been spreading considerably, often on sites which
obtained anti-virus programs two years ago, and have not bothered to
update them since.

>Is the stoned virus, for example, so prevelent because it is well
>designed and/or defeats virus detection, or because it proceded the
>large increase in sites with virus detection programs.

The second explanation - no doubt.  The same applies to Jerusalem, and
a few other "old" viruses.

>Without a continual influx of successful viruses, that is new
>techniques, the only marketable force behind upgrades and/or market
>share are dead viruses.

Well, there are always occasional "successful" viruses - but the
success often depends on how the viruses are distributed initially.
If the author just uploads the virus to McAfee's BBS or sends is
anonymously to me or some other anti-virus author, the virus will not
spread much - not unless it "escapes" from the virusv-research
community.

If, as in the case of Tequila, the author systematically uploads an
infected, popular game to BBSes all over Europe, the virus may get a
significant initial distribution, before anti-virus programs have been
updated to detect it.

- -frisk