Investigators should first interview the victims to identify the nature of the suspected attack. They should also use the special tools available (not resident system utilities) to examine the contents and state of the system after a suspected event. The original provider of the software packages suspected of being contaminated should be consulted to determine whether others have had similar experiences. Without a negotiated liability agreement, however, the vendor may decide to withhold important and possibly damaging information.

The following are examples of possible indications of a virus infection:

•  The file size may increase when a virus attaches itself to the program or data in the file.

•  An unexpected change in the time of last update of a program or file may indicate a recent unauthorized modification.

•  If several executable programs have the same date or time in the last update field, they have all been updated together, possibly by a virus.

•  A sudden unexpected decrease in free disk space may indicate sabotage by a virus attack.

•  Unexpected disk accesses, especially in the execution of programs that do not use overlays or large data files, may indicate virus activity.

All current conditions at the time of discovery should be documented, using documentation facilities separate from the system in use. Next, all physically connected and inserted devices and media that are locally used should be removed if possible. If the electronic domain includes remote facilities under the control of others, an independent means of communication should be used to report the event to the remote facilities manager. Computer operations should be discontinued; accessing system functions could destroy evidence of the event and cause further damage. For example, accessing the contents or directory of a disk could trigger the modification or destruction of its contents.

To protect themselves against viruses or indicate their presence, users can:

•  Compare programs or data files that contain checksums or hash totals with backup versions to determine possible integrity loss.

•  Write-protect diskettes whenever possible, especially when testing an untrusted computer program. Unexpected write-attempt errors may indicate serious problems.

•  Boot diskette-based systems using clearly labeled boot diskettes.

•  Avoid booting a hard disk drive system from a diskette.

•  Never put untrusted programs in hard disk root directories. Most viruses can affect only the directory from which they are executed; therefore, untrusted computer programs should be stored in isolated directories containing a minimum number of other sensitive programs or data files.

•  When transporting files from one computer to another, use diskettes that have no executable files that might be infected.

•  When sharing computer programs, share source code rather than object code, because source code can more easily be scanned for unusual contents.

The best protection against viruses, however, is to frequently back up all important data and programs. Multiple backups should be maintained over a period of time, possibly up to a year, to be able to recover from uninfected backups. Trojan horse programs or data may be buried deeply in a computer system — for example, in disk sectors that have been declared by the operating system as unusable. In addition, viruses may contain counters for logic bombs with high values, meaning that the virus may be spread many times before its earlier copies are triggered to cause visible damage. The perpetrators, detection, and evidence are the same as for Trojan horse attacks (see Exhibit 7).

SALAMI TECHNIQUES

A salami technique is an automated form of abuse involving Trojan horses or secret execution of an unauthorized program that causes the unnoticed or immaterial debiting of small amounts of assets from a large number of sources or accounts. The name of this technique comes from the fact that small slices of assets are taken without noticeably reducing the whole. Other methods must be used to remove the acquired assets from the system.

For example, in a banking system, the demand deposit accounting system of programs for checking accounts could be changed (using the Trojan horse method) to randomly reduce each of a few hundred accounts by 10 cents or 15 cents by transferring the money to a favored account, where it can be withdrawn through authorized methods. No controls are violated because the money is not removed from the system of accounts. Instead, small fractions of the funds are merely rearranged, which the affected customers rarely notice. Many variations are possible. The assets may be an inventory of products or services as well as money. Few cases have been reported.

Detecting Salami Acts

Several technical methods for detection are available. Specialized detection routines can be built into the suspect program, or snapshot storage dump listings could be obtained at crucial times in suspected program production runs. If identifiable amounts are being taken, these can be traced; however, a clever perpetrator can randomly vary the amounts or accounts debited and credited. Using an iterative binary search of balancing halves of all accounts is another costly way to isolate an offending account.

The actions and lifestyles of the few people with the skills, knowledge, and access to perform salami acts can be closely watched for deviations from the norm. For example, the perpetrators or their accomplices usually withdraw the money from the accounts in which it accumulates in legitimate ways; records will show an imbalance between the deposit and withdrawal transaction. However, all accounts and transactions would have to be balanced over a significant period of time to detect discrepancies. This is a monumental and expensive task.

Many financial institutions require employees to use only their financial services and make it attractive for them to do so. Employees’ accounts are more completely and carefully audited than others. Such requirements usually force the salami perpetrators to open accounts under assumed names or arrange for accomplices to commit the fraud. Therefore, detection of suspected salami frauds might be more successful if investigators concentrate on the actions of possible suspects rather than on technical methods of discovery.

Exhibit 8 lists the methods of detecting the use of salami techniques as well as the potential perpetrators and sources of evidence of the use of the technique.

Exhibit 8.  Detection of Salami Acts