home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud456a.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
16KB
|
300 lines
Date: 02 Nov 1992 16:07:19 -0500 (EST)
>From: Guido Sanchez<guido@nunbeaters.anon.com>
Subject: File 1--Response to the Virus Discussion
I've some qualms about this article. It seems that The Dark Adept is,
while trying to clear up some common misconceptions, contributing to
the ignorance of the computer community at large. Perhaps this was his
goal in writing this article, I really don't know. As a writer of
viruses and a pillar of spam in the virus writing community <inside
joke, really>, I'd like to clear up some misconceptions on the points
raised by The Dark Adept.
Let's start off with his definition of viruses..
> What is a virus?
> ++++++++++++++++
> A virus is a tiny program that attaches itself to other programs. It does
> in fact operate as a biological virus does. It finds a victim program and
> infects it with a copy of itself. Then when the victim program is
> unsuspectingly run, the virus now inside it is activated. At this point,
> it can do one of two things: infect another program, or cause mischief.
This is innocent enough, but not altogether true. A virus doesn't
always attach itself to another program. If they merely did that, they
would be NoWhere <another inside joke.. I'd better watch myself> near
as virulent as the anti-viral community would like John Q. Netrunner
to believe. The only efficient way that we <viral community> are going
to get our stuff to spread <assuming that we even want that> is to
utilize the boot sector of a diskette to contain virulent code. Not
file infectors, but actual disk infectors. Once this diskette goes
into another computer, that system has a much higher risk than if a
mere infected program were to be run. Another array of misleading
points being:
> How do people catch viruses?
> ++++++++++++++++++++++++++++
> Yikes! Here's where all the rumors are! You cannot get a virus from a modem,
> a printer, a CRT, etc. Viruses only come from other programs. So, whenever
^^^^^^^^^^^^^^^^^^^
Wrong, as I said before
> you add a program to your hard disk or run one off of a floppy, you stand
> a chance of catching a virus. Data files (files that are not programs, like
> text for your wordprocessor) cannot contain viruses. Only programs can
> contain viruses. On IBM PC's, programs usually end in ".exe" or ".com" and
> are the files that you run. The programs are the only ones that can contain
> viruses.
Also overlooking the .SYS, .OVL, and .APP files to name a few which
can be infected by file infectors. The data files, true, cannot
contribute to the spread of a virus, but they might be corrupted or
overwritten with the virus signatures depending on the type of virus.
> The only way to activate the virus is to run the program. Say for example
> you got a new program called "game.exe". You put it on your hard drive,
> but you never run it (i.e., you never tried it). Even if game.exe has a virus
> in it, you WILL NOT catch it. The program has to be run at least once to make
> the virus active.
Wrong again, re the boot sector argument.
> Another thing is batch files. These are files on IBM PC's that end in ".bat".
> These DO NOT contain viruses. However, .bat files run other programs. So
> if the .bat file runs a program that has a virus, the virus WILL be activated.
> The cause is NOT the .bat file, but the program that was run BY the .bat
> file.
This is part fact, part ignorance. On Vx <Virus Exchange> BBSs, there
have been seen batch file viruses. That is a batch file which, when
run, would use the debug program and insert viral code into memory,
subsequently executing it. In this case and others, the cause is both
the .BAT file and the DEBUG.EXE program.
> What do viruses do?
> +++++++++++++++++++
> Well, a number of things. Some erase your disks. Others print silly
> messages to your screen. In any case, a virus is not written like other
> programs are. It uses things that other programs normally don't. If your
> computer is infected by a virus, whenever you turn on the machine that
> virus is in the memory, and even if all it does is print "I want a cookie,"
> it can still interfere with other programs since they don't expect it to
> be there.
Supposedly, there are some viruses and trojans <trojan horses being
merely programs which do something they aren't supposed to do, usually
destructive, but still not being able to replicate like viruses do>
which can cause physical damage to hardware. Example, the HEADKILL
Trojan which supposedly ruins the head of the victim hard drive <I ran
this trojan on a 1.2meg 5.25" disk, it registers as invalid media
now>. Some viruses could overwrite the disk as to not be recognizeable
as a DOS compatible disk at all. Taking advantage of a user's
ignorance, the STIFFY virus uses the Media Descriptor Table to
re-define A: to an 8 inch disk drive no matter what it previously was.
It inter-cepts COMMAND.COMs error message and prints a phallic insult,
and obviously the acceptable format could not be used, causing massive
efforts towards retrieving the 'lost' drive. The TURKEY virus
supposedly alters cathode ray dispersion to 'melt' the monitor. Point
being that there ARE some annoying little buggers out there, not all
of them mere data corruptors or spreaders.
> Tell me more about these things...
> ++++++++++++++++++++++++++++++++++
> Ok. Viruses can only be made for specific machines. By this I mean
> that a virus that infects IBM PC's will NOT be able to infect Macs.
> There may be a tiny tiny chance if your Mac is running something like
> an IBM Emulator that a virus may cause problems, but in general, if
> you have a non-IBM compatible computer, and you can't run IBM
software, > then you can't catch IBM viruses and vice-versa.
BIG misconception there, buddy. The SHIBOLETH virus, for example,
executes MAC code to test for machine type. If there is no error, it
runs the MAC section of the viral code. If so, it runs the IBM section
of the code. It's rather clumsy, but it DOES withstand transferral to
MAC from IBM and back.
> + It might miss some or give you false results, so don't rely on it
> completely.
You MIGHT say that. It takes maybe 4 seconds to render a virus
unscannable by McAfee's or Norton. Simply putting in a small NoWhere
loop <meaning point A's instructions are to loop back to point A for
an amount of time> or using an executable compression program <eg
PKLITE, LZEXE, DIET> and removing the header will usually get the
virus through scanners. What about the boot sector infectors mentioned
above? Usually on Vx BBSs a dropper program is given out that will
'drop' the virus into the boot sector of the designated drive. Yes,
they're THAT user friendly :).
> +++Detectors+++
> +++++++++++++++
> What the detectors do is watch for virus activity. For example, some
> viruses try and erase your hard disk. What a detector does is sit in
> the background and watches for an illegal or abnormal attempt to do
> something to the hard disk. Then all sorts of alarms and bells go off
> ("Warning Will Robinson! Warning!") and the detector tries to stop
> the virus from doing it. Some will also ask you if you want to allow
> whatever action is taking place since you might actually be trying to
> format your hard disk.
This is PARTLY true. What these memory resident things do is keep an
eye on specific DOS interrupts and notify the user if a certain
interrupt function is being attempted. More often than not these are
the interrupts 13h and 21h. Such memory resident alarms can be easily
disabled by handling the error quietly or grabbing the interrupt
before the memory resident alarm does.
> You must know that the detector only checks program files. It would be a
> real pain if every time you changed your term paper the detector went off.
> However, this is not a weakness since only program files can contain
> the viruses.
Again, partly true. Integrity Master v1.23 by Wolfgang Stiller keeps
track of the crcs of all files and stores them in files called ID.)(
<or something to that extent>. Changing the values in these files or
removing them altogether is a common virus technique.
> However, since I took a shot at McAfee, I must also state this: I have
> known people to use McAfee's software and be 100% satisfied with no
> complaints. They like McAfee's software and continue to use it. It
> works for them and meets their needs. I hate both McAfee and his software,
> and I refuse to use it ever, so you must decide for yourself.
Oh, leave John alone :). The least I can say is at least his product
is free <Central Point is supposed to be bought> to the public. I
myself prefer Fridrik Skulason's F-PROT program. Not only does it
check for more than one virus signature, the heuristic scan is
formidable to viruses. It checks for viral-like code, not signatures.
It's just one step closer to having a scanner disassemble the program.
> "BBS's are the major cause of virus spreading"
> ++++++++++++++++++++++++++++++++++++++++++++++
> FALSE FALSE FALSE!! The major cause of virus spreading is LAN's and
> also copying from friends. BBS's merely store programs that you can copy
> and most people who run BBS's try and make sure none of them have viruses.
> A BBS is just copying from a friend over a modem. BBS's do not need to
> be shut down or restricted because of viruses. It is up to *you* to
> protect yourself from *any* program contamination no matter where
> you copy the program from (i.e., a friend or BBS).
Well, I do acknowledge that the threat BBSs pose to virulence is
minimal, but only because 99% of the time only executable viruses are
downloaded and inadvertently run. It's not often an unsuspecting user
downloads a 900k TD0 file and gets infected :). Point being that
virulence in executable files is minimal compared to that of boot
sectors, hence the BBSs ineffectiveness.
> Some of you may have heard of Virus Exchange BBS's. Let me explain what
> this is:
>
> (etc...)
>
> Now on these virus exchange BBS's, they 99% of the time just have virus
> SOURCE FILES not virus programs. The source files CANNOT cause infection.
> They must be fed to an assembler or a compiler first to become a program.
> Remember that for a virus to become active it must be run as a program.
> These BBS's do not distribute virus programs, but virus source files.
When is the last time you've been on a Vx BBS? I would say that 99% of
them possess and strive for the executables, and couldn't care less
about the sources. The reason being that Vx sysops usually just care
about the power and prestige of having 100+ viruses. Rarely do they
actually run the viruses to see if they are. Point being <yes, again>
the WHORE! virus, a copy of COMMAND.COM renamed to show how
inefficient Vx sysops are at checking the authenticity of their files.
They're similar to pirate BBSs in a way, only caring about having the
viruses and most of the time not using them. The average pirate BBS
will have the latest releases and they'll be downloaded, etc, but
maybe 5% of the people downloading will actually use the programs.
Viruses are like this. They are usually just a commodity, and only the
small 1% <the virally elite, as Quayle would say> care about the
source and validity of the files.
> For right now, let me just say that in a nutshell, Virus Exchange BBS's do
> NOT DIRECTLY cause infections. I think even the so-called "experts" would
> agree with that.
But of course! Where do you think they get THEIR viruses? :)
> "The first virus was written by..."
> +++++++++++++++++++++++++++++++++++
> No one knows. However, if you were to ask me, I will say the first
> virus was written by the first person who made copy-protection. Why?
Or cares, really. I'm sure there are those out there that know of the
COREWARS story, so I'll spare relating it here.
> "They endanger National Security and the military!"
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Hahahahahahaha! All I have to say is that most viruses (like 99.9%)
> attack only personal computers, and any military or government that depends
> on personal computers for national security and weaponry has more problems
> than viruses. And furthermore, what are they doing letting missile officers
> run MacPlaymate on the missile control computer anyhow?
Well, most govt. security installations <example : Treasury Dept> do
run LANs, and not only are they susceptible to viruses, there are
several viruses designed to seek out and foul up LAN systems. Frankly,
PCs are cheaper and more efficient than mainframes from the 80s, and
they are used in a wider scope than you'd believe.
Well, I'd say that the most likely place to find these virus authors,
in step with the end note, are echomail nets designed for virus
authors. Like..
* VX_NET - Virus Exchange NET, an up-and-coming non-partisan net. Directed
towards unity and making fun of the anti-viral community.
* Phalcon/Skism NET - The virus echos are a place for learning, and you can
contact the members on this net.
* [NuKE] Net - Another net from a virus group, get in contact with them on it.
* VIRUS_INFO on FIDO - Surprisingly enough, virus authors abound there with
fake names, contributing to confusion and getting a
good laugh at the expense of the anti-viral crew.
Interestingly enough, there's been some progression of rivalry between
the pro-viral and anti-viral communities <as the names indicate>. Way
back when, virus authors released their wares. Then, the anti-viral
communities recognized that they could either (i) be altruistic in
their ways and help their fellow man or (ii) make a quick buck off of
human suffering. They wrote anti-viral wares and organized. The virus
authors did not like this. They themselves organized and now have
become more Anti-Anti-Viral than Pro-Viral. I have no idea what
significance this progression has, and leave it to you capable readers
to determine what will happen. Yes, virus authors are in it now more
for making fun and avenging themselves of the anti-viral authors, who
in turn do the same in their programs. Etc, Etc, Etc.
So here's what I do. On my 'underground e-leet Vx' BBS, I make all
viruses and other files free on the first call. There's even a command
to download entire file bases. Meaning, if you release all of these
viruses to your users, they in turn set up BBSs and become Vx sysops
themselves. Hopefully, besides using viruses as a commodity, the
fledgling sysop will look at a few of the pro-viral utilities and some
of the source code. Perhaps the sysop will want to maybe get in on
this ASM thing and learn a thing or two, perhaps the sysop will become
a virus writer over time. Thus, like the viruses we propagate, we
propagate. We force nothing into the minds and computers of others,
it's all part of curiosity and voluntary. We help people to find their
calling <forgive me for sounding like a religious fanatic or cult
leader here..> in whatever field of modem-dom they like. I know it's
an empty desire, to want other sysops to do the same, but it's a
desire nonetheless.
In conclusion, I just wanted to clear up some things about both
viruses <yes, there are only two of them! surprise!> and the pro-viral
community. May you all find your calling and make it possible for
others to do the same, as that sysop long ago did the same, custom
made to do just that <I could not resist>.
In spirits,
Guido Sanchez
Oh yes, and if you are interested in the theory of thought viruses,
more information can be obtained on the BBS Nun-Beaters Anonymous,
708/251-5094. Thank you for your 'time'.
Downloaded From P-80 International Information Systems 304-744-2253