home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud449a.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
29KB
|
536 lines
Date: 25 Sep 92 00:57:29
From: The Dark Adept <drkadpt@DRKTOWR.CHI.IL.US>
Subject: File 1--Viruses--Facts and Myths
Viruses--Facts and Myths
by The Dark Adept
This whole virus thing is a joke. Let me tell you why:
What is a virus?
----------------
A virus is a tiny program that attaches itself to other programs. It does
in fact operate as a biological virus does. It finds a victim program and
infects it with a copy of itself. Then when the victim program is
unsuspectingly run, the virus now inside it is activated. At this point,
it can do one of two things: infect another program, or cause mischief.
What do viruses do?
-------------------
Well, a number of things. Some erase your disks. Others print silly
messages to your screen. In any case, a virus is not written like other
programs are. It uses things that other programs normally don't. If your
computer is infected by a virus, whenever you turn on the machine that
virus is in the memory, and even if all it does is print "I want a cookie,"
it can still interfere with other programs since they don't expect it to
be there.
How do people catch viruses?
----------------------------
Yikes! Here's where all the rumors are! You cannot get a virus from a modem,
a printer, a CRT, etc. Viruses only come from other programs. So, whenever
you add a program to your hard disk or run one off of a floppy, you stand
a chance of catching a virus. Data files (files that are not programs, like
text for your wordprocessor) cannot contain viruses. Only programs can
contain viruses. On IBM PC's, programs usually end in ".exe" or ".com" and
are the files that you run. The programs are the only ones that can contain
viruses.
The only way to activate the virus is to run the program. Say for example
you got a new program called "game.exe". You put it on your hard drive,
but you never run it (i.e., you never tried it). Even if game.exe has a virus
in it, you WILL NOT catch it. The program has to be run at least once to make
the virus active.
Another thing is batch files. These are files on IBM PC's that end in ".bat".
These DO NOT contain viruses. However, .bat files run other programs. So
if the .bat file runs a program that has a virus, the virus WILL be activated.
The cause is NOT the .bat file, but the program that was run BY the .bat
file.
Tell me more about these things...
----------------------------------
Ok. Viruses can only be made for specific machines. By this I mean
that a virus that infects IBM PC's will NOT be able to infect Macs.
There may be a tiny tiny chance if your Mac is running something like
an IBM Emulator that a virus may cause problems, but in general, if
you have a non-IBM compatible computer, and you can't run IBM software,
then you can't catch IBM viruses and vice-versa.
For the most part, only personal computers (i.e., IBM PC's and Macs) are
affected by viruses. On IBM's, they are usually limited to DOS, so if
you are running Unix on a 386 you don't really need to worry (yet).
However, various flaws in NFS security and other technical aspects of
computers mean that viruses could someday appear in other types of
computers.
The reason why personal computers have this problem and others don't is
because of how they are designed. Personal computers of the past were
designed for one user running only one program. So, they could use all
the memory since it wouldn't hurt anyone else. On a mainframe or a Unix
system, the hardware (and software) know that many people will be using
it, so they are only allowed to use the memory given to them, and if
they try and use another section of memory, the computer stops them. Viruses
need access to memory that they shouldn't have, and on a personal computer,
there is nothing to stop them from getting it.
How do I *avoid* viruses?
-------------------------
That's like asking "how do I avoid VD?" The answer is "don't stick it in
your slot unless you know where it's been." If you buy the software from
a computer store, you don't have to worry. Once in a million there might
be some type of problem, but in general, store purchased software will
NEVER have a virus.
If you copy a program from a buddy, then you might have to think twice.
Where did he get it from? How many times has it been in someone else's
computer? The same goes for software you download with a modem.
The only way to complete ensure you never get a virus with 100% certainty
is to allow no outside contact with your computer. This is called a
"sterile environment" or a "Kosher komputer". This means that you cannot
use disks in your computer that have been in other computers, and you cannot
put any type of software in your computer that has not been purchased
from a store. In other words, the only "safe software" is "no software".
If you noticed, computer viruses operate a lot like biological viruses.
In fact, they mostly operate like venereal disease. So look at viruses
the same way as you would at VD. The only 100% assurance you have against
infection is abstinence (from using outside programs and disks). If
for some reason you cannot do this, then you must protect yourself.
How do I protect myself? Is there a "computer condom"?
-------------------------------------------------------
In a nutshell, the answer is NO NO NO!! Do not believe those
ads for anti-virus this and that. It's crap. Like a condom, they
*help* protect against infection, but there are no guarantees. Whenever
you put something in your (disk) slot, you still run a chance of being
infected - the "condom" may break or be infected itself.
Well, what are the different types of protection available?
-----------------------------------------------------------
There are 3 main types of "anti-virus" software available:
o Scanners
o Detectors
o Removers
+++Scanners+++
--------------
Each virus has what the anti-virus geeks call a "footprint". What this
means is that there is a sequence of "characters" that uniquely identify
the virus. For example, say someone gave you a book with no title or
description or whatnot and said, "Can you tell me if this is Hamlet by
Billy Shakespeare?" Being a virus wizard, you would say "Sure!" What
you would do is then look at all the text for the words "to be or not to be".
If you found them, then the book would be Hamlet. This is what virus scanners
do. They are programmed with an identifying "phrase" or footprint for
all known viruses. Then they look at each of your programs. If one
of them contains "to be or not to be" then it means that the Hamlet virus
has infected your program.
Those of you who have drank your coffee this morning might realize that
this doesn't help an awful lot. For one thing, what if the text isn't
Hamlet but a review of Hamlet that has a sentence "Hamlet's soliloquy which
begins with 'to be or not to be' is the most moving part of the play." Well,
the virus scanner would see "to be or not to be" and think it is a virus!
Of course, it would be wrong. Another thing is say I write a new virus,
and the anti-virus cronies haven't seen it yet. Its footprint wouldn't
be in the scanner. So the scanner wouldn't know it was a virus.
A final problem is that the scanner will only really protect you if it
scans the program *correctly* before you ever run it. Once you run it,
if you haven't scanned it or the scanner didn't pick anything up, and there
is a virus inside, you're toast. After you run the program, if you then
run the scanner, sure it will pick it up, but that's like going to the
doctor who tells you that you have the clap after you've got it. The
scanner is most effective when used before ever running the program. It
is also useful for giving your system a "check-up" every once in a while
to make sure something didn't slip by. However, again, now you already
have contracted the virus and now must worry about getting rid of it.
So, if you're going to use a scanner, remember this:
+ You must have a current version so that the new footprints are in there.
+ It works best when you scan programs *BEFORE* they are run for the
first time.
+ It might miss some or give you false results, so don't rely on it
completely.
+++Detectors+++
---------------
What the detectors do is watch for virus activity. For example, some
viruses try and erase your hard disk. What a detector does is sit in
the background and watches for an illegal or abnormal attempt to do
something to the hard disk. Then all sorts of alarms and bells go off
("Warning Will Robinson! Warning!") and the detector tries to stop
the virus from doing it. Some will also ask you if you want to allow
whatever action is taking place since you might actually be trying to
format your hard disk.
Another thing that some detectors do is a checksum/byte count check on
your files. Remember that a virus *adds* itself to another program.
So what the detector does is make a list of all the programs on your drive
and remembers what they look like. Then, when a virus changes one, the
detector notices this, and gives you a warning like "Program games.exe
failed checksum!" and asks you if you still want to run it.
You must know that the detector only checks program files. It would be a
real pain if every time you changed your term paper the detector went off.
However, this is not a weakness since only program files can contain
the viruses.
It may seem that detectors are the answer, but they are not. Remember,
the detector only detects virus activity. This means that you already
have a virus running around in your system. It will help stop the damage,
but the infection is already there. Another problem is that you must
remember that the detector is hiding in the background watching. Some
programs don't expect the detector to be there, and freak out (just like
they don't expect the viruses to be there either). So the detector might
interfere with other programs. The better detectors are well-written so
as to avoid this, but even then there might be problems.
So, if you are going to use a detector, remember this:
+ Detectors help stop damage caused by viruses.
+ If it detects virus activity, you are already infected.
+ You must buy a good one so that all types of virus activity are
detected.
+ The detector may interfere with other programs.
+++Removers+++
--------------
Also called "disinfectors." What these programs do is get rid of
the virus infection in your computer. Once you have detected an infection,
you have to get rid of it. However, like with cancer, that means cutting
something out usually. Nine times out of ten, a disinfector will have to
delete *ALL* the programs that are infected. Gone. Erased. Never to come
back. Some can get out the virus without deleting files, but this is
rare. It depends on how good the disinfector is and what type of virus
it is. The remover is probably the most crucial piece of anti-virus
software.
So, if you are going to use a remover (and you should), remember this;
+ Files (maybe important ones) will be deleted, so you need backup
copies of your software at all times (you should have this anyhow).
Who makes this and where can I get it? What do *you* use?
----------------------------------------------------------
There are a lot of companies who make this type of software. I've tried
a bunch, and my *personal* favorite is made by Central Point Software.
It comes in two types of packages:
+ PC Tools Deluxe
+ Central Point Anti-Virus
PC Tools deluxe has 2 main anti-virus items: PCBackup and VDefend. What
PCBackup does is backup your hard drive. You should be doing this anyhow.
What it also does, however, is there is an option to scan as it backs up.
What this means is before it backs up the program, it checks it for
a virus like a scanner would. This is important. Say you backup your
disk every month. Then like 3 weeks later you find that your word
processor and some other programs are infected by a virus. You disinfect
your disk, and go to install the back up copies. What if the backups are
infected? You're back to square one. PCBackup helps to ensure that your
backups are virus-free. And, like I said under scanners, you need the
current version. Well, good news. The data file where all the footprints
are is updated regularly and can be obtained at no cost (last time I checked)
from Central Point via modem. So you don't need to buy a new copy of
PC Tools every month, just get the new footprint file.
VDefend is a virus detector with a lot of neat options. It is also part
of the PC Tools Deluxe package. PC Tools deluxe is a nice product and
well written and I like it. If you like Norton's software, that is good,
too, and so are many others. I just happen to prefer PC Tools. So, you
get a lot more for your money than virus detection. Check it out at
your software store.
Now, the mother of all anti-virus software is Central Point Anti-Virus.
This is a killer package. All you could want and more. I've used it a
couple of times, but it is more than I need. Either I'm not paranoid
or I'm too trusting. However, if you want state-of-the-art TopGrade A-1
anti-virus protection, this is it. It also has a disinfector built in
and a lot of other goodies.
Now, why do I prefer these packages? I'll be honest with you. A lot
of the other anti-virus companies are in it strictly for the money. The
bigger the virus scare, the more money they make. Remember the
Michaelangelo virus? That was a load of crap. It was a simple virus.
There are a lot more dangerous ones out there, and they are more widespread.
These companies make *only* anti-virus packages, so they need the hype
to survive. Central Point and a few others are not in the anti-virus
industry per se. They are regular software companies who also offer
anti-virus software. Their programming experience is more widespread
than those who concentrate on viruses alone, and this means that their
software should be better in general. Why? Well, look at it this way:
Say you want to add an equalizer to your stereo. Now, do you want the
salesperson to know about stereos in general, or just about equalizers?
Shouldn't he know how equalizers interact with the rest of the system?
A software company that creates various pieces of software will know how
they interact and perform.
Further, an investigation into the history of some of these companies,
like McAfee and Associates, brings up questions about their competence
in this type of work. I ask you to draw your own conclusions, but as
a hint as to what I am referring, try and see what type of work McAfee
was involved in before viruses.
However, since I took a shot at McAfee, I must also state this: I have
known people to use McAfee's software and be 100% satisfied with no
complaints. They like McAfee's software and continue to use it. It
works for them and meets their needs. I hate both McAfee and his software,
and I refuse to use it ever, so you must decide for yourself.
Out of the general software houses, I like Central Point's goods. So those
are my reasons for why I chose it: 1) It is one of the reputable companies,
and, 2) Out of those reputable companies, this software has what I want.
Some people will say "You are picking on the little guys trying to start out."
Maybe. I wouldn't if this were a word processor where if something is
screwy in version 1, you can live til version 2. But this is for your
protection. Would you rather buy a gun made by Smith and Wesson or
Uncle Bob's Bullet Co.? When it comes down to protection, you don't
want any misfirings, and you must rely on reputation.
So, if you are going to buy "anti-virus" software, remember this:
+ Well-known, reputable, and experienced companies with good user
support like Central Point, Norton, etc. are preferred.
+ Out of those companies, pick the one that best suits *your* needs.
Everyone's system differs. You might love using Norton's backup
program, so you just want virus protection and not the full PCTools.
Etc., etc., etc. Look at all the software and see what you need and
want.
Myths
-----
Finally, I would like to expose some myths and misconceptions about
viruses:
"They threaten net connectivity"
--------------------------------
If by "net" you mean the Internet, this is 100% false. The machines
connected to the net do NOT run programs from other machines, so cannot
be infected by them. They merely store programs from other machines. It
would be like if a friend asked you to put that game.exe program on your
disk and hold it for him until he had space on his. As long as you
don't use it, you won't be injured by just storing it.
Another thing to remember is that most viruses are for personal computers
and most machines on the Internet are NOT personal computers, so the
viruses won't affect them anyhow.
The only role that the Internet plays in virus propagation (the spreading
of viruses) is that if someone gets a program from the Internet for his PC
and runs it he might get infected. But remember that you could also
get infected by getting a program from a friend. The Internet, therefore,
is not threatened by nor the cause of virus contamination.
However, if by "net" you mean the LAN at work, then this is true. A lot
of viruses spread rapidly through LAN networks, so if one machine gets
infected, all of them can. This is because all the personal computers
on the LAN run the same programs. Again, the cause here is the running
of the program by computers on the net. Internet computers generally
do not run the programs that contain viruses.
If some idiot says that their Internet connection should be severed due
to virus propagation, that would be like saying we should shut down Lake
Shore Drive in Chicago since a bank robber might drive down it to get
away. Sure it provides a path for viruses (bank robbers), but 99% of
the time it is providing a path for legitimate purposes (law abiding
citizens).
"BBS's are the major cause of virus spreading"
----------------------------------------------
FALSE FALSE FALSE!! The major cause of virus spreading is LAN's and
also copying from friends. BBS's merely store programs that you can copy
and most people who run BBS's try and make sure none of them have viruses.
A BBS is just copying from a friend over a modem. BBS's do not need to
be shut down or restricted because of viruses. It is up to *you* to
protect yourself from *any* program contamination no matter where
you copy the program from (i.e., a friend or BBS).
Some of you may have heard of Virus Exchange BBS's. Let me explain what
this is:
Any type of program ever written starts out as a "source file". This is
a regular text file made by a word processor that contains instructions
for a computer. This source file must be fed into either an "assembler" or
a "compiler" to become a program that can run. This is true whether the
program is a spreadsheet or a virus (viruses are programs, just very very
tiny ones).
Now the source file can have all of the program in it, or just part. The
rest would be in other source files. So, for example, if you look at your
wordprocessor in two parts you might see that one thing it does is let you
type stuff in, and the other part is it lets you print things out. So
it might have 2 source files: 1) tells the computer how to let you type
things in, and 2) tells the computer how to print things out.
A virus is made up of two basic parts: an infector and a destructor.
The INFECTOR is the part of the program which hides the virus and makes
it spread. The DESTRUCTOR is the mischief maker. This is the part
that draws crazy pictures on your screen or erases a file on you.
Now on these virus exchange BBS's, they 99% of the time just have virus
SOURCE FILES not virus programs. The source files CANNOT cause infection.
They must be fed to an assembler or a compiler first to become a program.
Remember that for a virus to become active it must be run as a program.
These BBS's do not distribute virus programs, but virus source files.
Furthermore, most of the source code for viruses on these BBS's is just
the INFECTOR part. This is what the programmers are interested in. This
is where the innovation and creativity and "wow! Nice piece of code!"
happens. The DESTRUCTOR is very basic and any idiot can do one: "del *.*".
People who run VXB's (Virus eXchange Boards) are interested in code for the
INFECTOR and the DESTRUCTOR is worthless.
In other words, they are merely giving out the blueprints and not the
bomb itself.
Some jerks argue that this in itself should be illegal. Well, another
article will deal with that, so please hold comments on this
aspect until after I have presented my position.
For right now, let me just say that in a nutshell, Virus Exchange BBS's do
NOT DIRECTLY cause infections. I think even the so-called "experts" would
agree with that.
"The first virus was written by..."
-----------------------------------
No one knows. However, if you were to ask me, I will say the first
virus was written by the first person who made copy-protection. Why?
Having the benefit of looking at both copy-protection and virus source
code, I can tell you that they do things the same way. The infector
part of the virus wants to hide itself and so does the copy-protection.
They both use the same types of methods to do so. Both also make programs
unusable if certain conditions are met. If it is a copy, the copy-protection
stops it from working properly. If it is an infected program that meets
the criteria for the destructor part of the virus to start, the virus
kicks in the destructor and does its job.
Again, please notice I am comparing the copy-protection with the infector, and
not the word processor with the destructor. The copy-protection and the
infector only differ in that the infector affects more than one program
and that the actual reason for both being there (the word-processor vs.
the destructor) are different. They both perform the same job - protection
and sustenance of the main program.
From this idea of small programs that operate to protect a piece of software
known as copy-protection sprang forth the first viruses. So next time
you buy a piece of copy protected software you know who to thank for
your screwed up harddrive ("wah! but we don't write them!" no, but
you gave them the idea and techniques! Plus, copy protection is for loser
companies that don't give decent support to registered users thereby
creating a huge incentive to register a product. Enuff said.).
Another important similarity is that the techniques for removing copy
protection from a program and removing a virus from an infected file while
retaining the file are very similar (I've done both a few times).
"We're all doomed!! It's Michaelangelo!!"
-----------------------------------------
Yeah, eat me. I have been using computers for about 11 years. I have
been on everything from a Timex Sinclair to a Cray. I've had things on
my system you wouldn't feed to your dog. How many times have I been
infected by a virus? ZERO
I deal with over 100 computer-related people per day (I'm a graduate
student in Computer Science). Here is what contact I've had with virus
infection:
When I was an undergrad at the University of Illinois at Champaign-Urbana
(I started out in Electrical Engineering), the Mac labs got infected by
a virus. Rumor has it that it was caused by someone using an infected
copy of MacPlaymate (an X-rated video game for Macs) on one of the computers.
Last year, the PC-LAN at Loyola University of Chicago was slightly infected
by Michaelangelo, and one of the professors' PC's caught it because a student
handed in his infected programming assignment (it got infected because he
wrote it on the LAN). So, everyone who handed in their program got infected
if they reran the program when it was returned. Like 2 more people got
infected this way.
A friend of mine got infected by using an infected copy of a pirated video
game (serves him right hehehe!).
So, for someone who uses a computer every day and knows mostly computer
people, I have personally know 4 people and 2 sites that were infected
by viruses, and this is over 11 years.
Total damage? Not much. Nothing Anti-Virus and equivalent type software
couldn't fix and a quick restore from some backups.
So next time they yell "The sky is falling," tell them to line their
pockets somewhere else. You should protect yourself, but it's not the
end of the world.
In fact the only time my harddrive got erased on accident was when I was
installing OS/2. It was my fault for not reading the directions. Oops!
"They endanger National Security and the military!"
---------------------------------------------------
Hahahahahahaha! All I have to say is that most viruses (like 99.9%)
attack only personal computers, and any military or government that depends
on personal computers for national security and weaponry has more problems
than viruses. And furthermore, what are they doing letting missile officers
run MacPlaymate on the missile control computer anyhow?
Conclusion
----------
I just hoped I made this virus thing clearer. This is not based
on any virus "expertise" I have, just a thorough knowledge of
computers and my experience with them (which is extensive). I am not a
"virus expert" nor am I a virus author. But next time someone tries to
scare you or calls themselves a "virus professional" call them an idiot.
Just use common sense, make backups, and maybe get a piece of software from
a good company. No one is "out to get you". Most of the virus authors
are teenagers and are actually nice guys who just like to write intricate
programs -- they don't even spread them around! PHALCON/SKISM is a good
example. They don't even want to format a hard drive, just have a little
fun programming. Once in a while one of their "projects" might get out
of hand, but they're not there to make your life miserable. Sure I'd be
pissed at em if Flight Simulator got infected, but no biggie. Just clean
up and reinstall. Don't blame someone else if you don't make backups.
So have phun, and: "Don't worry; be happy!"
P.S. Sara(h) Gordon: Your rebuttal to Phrack touched me. Right about...
...there.
NOT!
(thanks Sarlo)
Tiny Bibliography
-----------------
40HEX - the Journal of viruses published by PHALCON/SKISM. Contains
new viruses by P/S and a lot of source code. Great reading for
programmers, virus authors, and copy-protection people. I've used some
of their disk access tricks for utilities I've written for my 386
system that bypass the device drivers. They also provide an excellent
and professional analysis of virus code with commented source code
from time to time. Tells ya how the varmints really tick. 4 stars!
(When's the next issue, guys?!?)
Hell Pit BBS - Of Sara(h) Gordon fame. If you want to see what a
Virus Exchange BBS is like and why all the screaming, bitching, and whining
that Sara(h) and the other people who call themselves "anti-virus"
people is for nothing, give it a call. Just don't run anything you download.
Most of it is source code, anyhow. Some of it is Sara(h) Gordon's source code.
I wonder if ACM would approve of her "research" in virus propagation?
I hope Hell Pit is still up. Sarah(s) crap caused Kato a lot of trouble
including making people think it was a Fed sting operation (lie).
Various hacker nets - like DarkStar, CyberCrime, etc. A lot
of virus authors can be contacted on these FidoNet type BBS's. Most of
them will answer any question about viruses you have unless you get
too specific like "Duh, what did you write?" or too idiotic like
"Viruses are terrible! Look at what Michaelangelo did!" (not much).
That's just a start, but if you're curious about what viruses really are,
don't ask those "anti-virus" goobers, ask the authors.
Downloaded From P-80 International Information Systems 304-744-2253