2010-07-01
Abstract
In 1997, Virus Bulletin published an overview of virus activity in the Indian subcontinent. The piece ended with a series of predictions. Andrew Lee now picks up where that article left off and examines where the predictions were borne out, and where they failed to meet reality.
Copyright © 2010 Virus Bulletin
In April 1997, Mr Neville Bulsara wrote an article in Virus Bulletin (see VB, April 1997, p.16), giving an overview of virus activity in the Indian subcontinent. He ended his interesting article with a series of predictions (always a risky undertaking). Since I have spent the last 18 months working in the geographic area he wrote about, I felt it would be interesting to update his article and to examine where his predictions were borne out, and where they failed to meet reality.
Briefly, his predictions were (paraphrasing):
The days of viruses are numbered – macro viruses are a threat, but will not continue to be so.
Many systems in India use MS-DOS, which explains why file viruses are more prevalent than in Windows-using countries, but this will change.
Viruses can be written for all platforms: these will not be a major threat as most are written by people who lack the expertise to write Windows-based viruses.
The Internet is the place to watch as regards potential entry points for viruses.
Viruses written for Windows 95 or NT are unlikely to get very far, even if they are posted to the Internet – at worst, only systems downloading them will be infected as people do not share Windows applications across computers.
Excel spreadsheets are not a threat as they are only of interest within the same organization or industry.
Over a period of time, the number of viruses that appear will decrease dramatically: this does not mean that there will be no viruses, but that there will be too few to support an industry [presumably he meant the AV industry] in its own right.
Anti-virus will be sold as part of a suite of components as an added ‘throw-in’. Companies recognizing the inevitable will slash their prices long before the collapse, to sell as much as they can while the going is good [in Mr Bulsara’s opinion this process had already begun].
Marketroids will market other products and services, programmers will find other applications to develop, and researchers will find other fields to research.
Mr Bulsara himself hoped to preside over the death of the industry he had helped (at least in his own country) to spawn.
Clearly, one thing is true: macro viruses have long ceased to be a serious threat. And, while there is probably some dispute about the usefulness of Excel spreadsheets, it is certainly true that they pose no significant threat as a tool for spreading malware misery (despite the misery they no doubt bring as a management tool) – though perhaps we could argue that their use in spear phishing counts.
Bulsara’s prediction that anti-virus would become a relatively insignificant part of a suite is also interesting. In terms of technical investment, anti-virus is probably still the most important component of a security suite, but it is also the one about which customers are most blasé. All anti-virus products are supposed to protect the consumer against all ills that might befall their computer systems, and a few else beside; the differentiators between the products on offer are now typically the ‘add-on’ components – which, if you like, are ‘thrown-in’ with anti-virus suites to provide packages that are more tempting to the customer.
Perhaps most prescient was Bulsara’s prediction that the Internet would become the main entry point for viruses. While the rest of the prediction – that downloading viruses from the Internet would not be a big problem – was incorrect, the obvious truth is that, without the Internet, Bulsara may well have had his wish to preside over the death of the AV industry fulfilled.
Interestingly, if perhaps a little embarrassingly, in the same issue of VB, Eugene Kaspersky provided an analysis of the first Windows 95-specific virus, Punch. It puzzles me that a programmer of some talent such as Mr Bulsara could make an assertion that people wouldn’t have the necessary skills to write viruses for Windows 95 or NT. Surely this is a denial of all that he had learnt himself – after all, viruses are just computer programs, and a file infector on Windows, while perhaps more complex than on MS-DOS, is no less possible than on any other system (particularly if you only care about execution, and not about trying to preserve the original functionality of the file).
In terms of volume, viruses may never have truly been the ‘big hitter’ as a proportion of overall malware (let’s leave the definitions debate for another time), but in general terms, malware in all its forms is perhaps the defining ‘product’ of the modern computer age. There are possibly as many maliciously intended binaries in existence as there are legitimate ones – or if not now, there will be in the future. Like spam, malware has become ubiquitous. Certainly, there is enough work to keep several generations of security practitioners and anti-virus researchers busy.
At the time of Mr Bulsara’s writing, there was a nascent indigenous anti-virus scene in India, and Mr Bulsara was working in it. Indeed, he sold his own anti-virus company in 1995. In 1992, K7 Computing was founded, and it has gone on to become one of the most successful companies in Tamil Nadu, last year winning the Exporter of the Year award. Today, India hosts at least four major anti-virus companies, and many more companies working in the security space. Far from seeing ‘the end of anti-virus’, India has grown in stature as one of the places where a unique combination of a highly educated (and largely English-speaking) workforce, reasonable wage levels and low rental costs have attracted many overseas anti-virus companies to set up operations. It may have been beyond the imagination in 1997, but in 2008 India played host to the 11th AVAR conference, hosted by Indian AV company Quick Heal, and sponsored by K7 Computing alongside other international vendors.
India is fast becoming one of the most important countries in the world for the IT sector, and anti-malware – as a subset of that industry – is finding India to be no less important. As a land rich in resources, experiencing extraordinary economic growth, it will surely in years to come be a key battleground between malware authors and those of us who try to fight these criminals.
Perhaps no one could have predicted the rise of the Internet, or indeed the huge uptake of personal computers. At the time Mr Bulsara was writing, DOS was still largely the operating system of choice, and Windows – available in version 3.11 and Windows 95 flavours – was little more than a rudimentary graphical interface on top of DOS. Therefore, the overwhelming majority of viruses were DOS .exe and .com infectors (along with macro viruses), and the volume of new viruses was so small that they could be (and were) listed each month across a couple of pages of Virus Bulletin magazine.
Windows 98, released little over a year after Mr Bulsara wrote his article, perhaps truly began the revolution in terms of largely non-technical people starting to use computers in the home, building on the rather shaky Windows 95 (which only really became usable once the second service pack was released).
Interestingly, it could be argued that ‘non-technical’ users – particularly in the publishing world – had long been using computers, but they generally preferred the user-friendly Apple Mac platform. This illustrates the flexibility that the Windows platform was coming to offer – an ability to use a range of different hardware (therefore to be able to choose a price range appropriate to one’s needs), as well as the ability for developers to really ‘get inside’ the system (a double-edged sword in terms of malware).
It wasn’t until the early 2000s when we saw an explosion in criminally exploited malware. The rise of adware and spyware saw the first serious foray into exploiting end-users, and the recent 10-year anniversary of VBS/Loveletter reminds us of the true dawning of social engineering as a widespread tool for spreading malware, and of the rise of successful phishing attacks.
More than anything perhaps, it is worth bearing in mind three basic rules of security:
Even though something is hard to exploit, someone will probably still exploit it (many people considered it too difficult to write a virus for Windows NT4, until Winnt/Infis came along).
Any computer system powerful enough to run a program can run a program that could be considered malicious – therefore there are no ‘un-exploitable’ or ‘un-virusable’ computer systems.
It is inadvisable to make predictions about the future of security; you will nearly always be wrong.
It is never easy to be a prophet, much less in the modern world where technology changes so quickly, but Mr Bulsara’s opening statement still holds true, and I shall use it in my conclusion: ‘India [is] a country whose programmers are among the world’s best, and one where viruses abound – as does anti-virus software.’
Mr Bulsara subsequently left the anti-virus industry – perhaps truly believing it would fall – and is now a professional photographer and documentary maker working in India; you can see his site at http://www.nevillebulsara.com/nevilleb.htm.