home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.241
< prev
next >
Wrap
Text File
|
1995-01-03
|
26KB
|
539 lines
VIRUS-L Digest Thursday, 16 Nov 1989 Volume 2 : Issue 241
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Identify Ashar Virus (PC)
VACSINA contains update facility (PC)
New viruses - 867 and 648 (PC)
Any quantitative studies of computer virus epidemiology
80386 and viruses (PC & UNIX)
Known PC Virus List
Signature Programs
XTREE virus clarification... (PC)
Re: Sophisticated Viruses
---------------------------------------------------------------------------
Date: 15 Nov 89 15:59:59 +0000
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: Identify Ashar Virus (PC)
Now at least I hear the case being correctly stated... and I will say
it myself...in the Antiviral industry(sic) there has been a distinct
lack of quality control of most popular nostrums......while small bugs
may not shake up the experienced bugs do INDEED cause the less
computer literate to really wonder about running this or that vendors
product on their system...(what with tales of FAT and primary format
wiping running rampant over the net ....... VENDORS do you hear me???
dave is stating a very salient point... I do hope someone is indeed
listening...
cheers
kelly
p.s. Hi dave!!
Kelly Goen
CSS Inc.
DISCLAIMER: I Dont represent Amdahl Corp or Onsite consulting. Any
statements ,opinions or additional data are solely my opinion and mine
alone...
Seen in alt.sex recently "SEX is FUN, Thats why there are so many of us!!"
My Opinion: Sex between Consenting Computers leads to Social Data Diseases!
------------------------------
Date: Tue, 14 Nov 89 21:57:05 -0500
From: Christoph Fischer <RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu>
Subject: VACSINA contains update facility (PC)
Hi,
we just completed our virus catalog entry for the VACSINA virus and
checked with some friends. One of them: David M. Chess pointed out
that we overlooked a fact. Well it is a very important fact: VACSINA
contains an update facility. The last 4 bytes of an infected file
contain F4 7A 05 00. The F4 7A is the VACSINA id and 05 00 is the
version number ( lo byte first ) so we have version 0005 of VACSINA.
If the virus finds anything less than 0005 it will reconstruct the
original file and then it will infect with the new version of VACSINA.
Now we understand why the author left so much space in the head of the
virus. Also the 3 byte used for the 'VACSINA-TSR is in memory' flag
contain a 05 so future versions of VACSINA will know if an older
version of VACSINA installed its TSR.
If anybody has virus infected files that show F4 7A 06 00 or higher please
post a note.
Thanks to David again!
Chris
*****************************************************************
* Torsten Boerstler and Christoph Fischer and Rainer Stober *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*****************************************************************
------------------------------
Date: 15 Nov 89 00:00:00 +0000
From: David.M..Chess.CHESS@YKTVMV
Subject: New viruses - 867 and 648 (PC)
I've been looking through a couple of new PC viruses (thanks
to John M. and Fridrik S. for the samples), and thought I'd
write down a couple of things:
- The 867-long COM-infector that only infects on even-numbered
days and sometimes messes up one's typing has been called
"Typo" and "Fumble" here. To either add to or subtract
from the confusion, I'd suggest calling it the "867" until
a good reason not to comes along...
- The 648-long COM-infector that Alan Roberts reported above
is in fact Vienna-derived. It's functionally identical
to the Vienna, except that it overwrites the occasional
victim with "@AIDS" instead of the Vienna's 5-byte reboot
program. The code has been messed with considerably; the
author seems to have taken a sample of the Vienna, and
asked, for every instruction, "how can I change this to
do exactly the same thing using a different set of bytes?".
In many places the code is identical; in others, it has
been tightened up, or expanded with NOOPS, or tiny and
non-functional changes in register usage have been made.
The perpetrator was clearly interested in fooling any
virus scanner looking for Vienna identification strings
(to use Joe Hirst's phrase).
DC
------------------------------
Date: 16 Nov 89 00:20:32 +0000
From: pz@apple.com (Peter Zukoski)
Subject: Any quantitative studies of computer virus epidemiology out there?
Hi -
I recently received a request from Richard Dawkins (A zoology
professor at Cambridge, author of the "Blind Watchmaker" which is a
summary of Darwinian evolution, and the software which helps one
understand the power of slight mutations coupled with huge numbers of
generations.) for information about computer viruses. Following is his
request. He doesn't have access to the interNet, so please send any
responses to me, even if this prompts a discussion in this group, as I
don't normally read it and wouldn't want to miss anything pertinent.
Please mention/send any past discussion of these issues which you
might have lying about as well.
Thanks
"Do what you want -- you will anyway."
peterz
pz@apple.com
Bell: 408-974-2920
Snail: Apple Computer 20525 Mariani MS/76-3C Cupertino, CA 95014
- ----------
My interest is as follows:
I want to develop a 3-way analogy between 'real' viruses, computer
viruses, andviruses of the mind. To give the idea, I'm pasting in the
following draftproposal for a BBC television program that nearly
appeared with me as Presenter(in the end the project was shelved, but
I now want to pursue the idea further anyway).
"PROPOSAL FOR TV PROGRAM: VIRUSES OF THE MIND
Three kinds of virus. In all three cases there is information-handling
machinery as a sitting target for parasitic self-replicating information or
'viruses'.
1. 'Real' viruses, made of DNA or RNA. They are almost pure
information, digital information just like in computers. They use the
reading and translating machinery provided by hosts. Build up a picture
of host cellular machinery as a sitting target for viruses, rather like a
room full of information-handling equipment - xeroxes, teleprinters,
computers and so on. The machinery is all there, vulnerable to being
exploited. It is good at handling DNA, almost eager to handle DNA, copy
it, splice it in, decode it, build the proteins specified by the DNA code.
Viral information is like a computer program whose only real purpose is
to make copies of itself. The protein jacket etc is just the apparatus
needed to propagate copies of the information specifying it. Actually,
that is true of all living bodies too (the central message of The
Selfish Gene and The Extended Phenotype), but it is particularly stark
for viruses. And the special point about viruses is that they use other organi
sms' handling machinery. Viruses are propagated through the air
(common cold), through saliva (rabies) or other bodily fluids (AIDS).
2. Computer viruses. These are computer programs, written by
malicious individuals, whose essential purpose is simply to make copies of
themselves. They may also, like 'real' viruses, have deleterious effects
upon the host. For instance some viruses delete files at random from the
hard disc. Once again we have the same picture of information-handling
machinery as a sitting target for parasitic information. Computers are so
good at handling information, so powerful at doing what programs tell
them to do, that they are, in a sense, asking for trouble, asking to be the
victim of malicious, self-replicating information. Computer viruses are
propagated by borrowed or pirated floppy discs, over e-mail networks
and so on. Unknown before 1980s, they are now alarmingly common.
My own hard disc picked up an infection last year and it was a sinister and
eerie sensation.
3. Mind viruses. Human minds, too, consist of sophisticated
information-processing machinery, like computers and like the
DNA-processing machinery of cells. Once again, because of its normal
information-processing functions, it is a sitting target for 'viruses'; it
is vulnerable to being invaded and taken over by malicious self-copying
programs. In this case they propagate themselves via word of mouth,
print, television etc. I think the best examples (in the sense of most
strongly resembling the other kinds of virus) are to be found in religion,
especially the kinds of fundamentalist religion that have become so
prominent in the 80s. People actually use the word 'possessed' for the
state of being taken over by one of these influences. I suspect that we
could actually find film of people in religious trances whose behaviour
would strongly resemble the behaviour of people mentally ill with a brain
virus. Even if not literally the same, I think that the analogy between
the three kinds of virus could be put across convincingly, emphasizing
especially fundamentalist faith as an infectious disease of the mind. My
own experience of getting letters from religious people (especially in
Northern Ireland) after my article in Daily Telegraph forcibly made me
think of the behaviour of computers infected by a virus. In particular,
there is the weird phenomenon of quoting scriptural verses. These people
had read my article, so ought to realise that I'd be unmoved by biblical
quotations. Yet their own mind is so taken over by the 'operating system'
that is programmed to accept every word of the bible that they cannot
conceive of another mind not instantly succumbing to the same thing."
So, I'm really after any studies of the details of how computer viruses
spread that lend support to the thesis described in the above proposal.
Best wishes
Richard
- -----------------------
Thanks
------------------------------
Date: Tue, 14 Nov 89 17:05:05 -0600
From: Peter da Silva <peter%ficc@uunet.UU.NET>
Subject: 80386 and viruses (PC & UNIX)
> The isolation hardware in the I386 makes it possible to construct a
> contained execution environment... Such an environment would be a
> useful place to test untrusted programs.
> Has anyone constructed such an environment?
Yes.
It's called "Merge 386" or "Vp/IX".
`-_-' Peter da Silva, Xenix Support. R2419 X5180
'U` "Have you hugged your wolf today?"
[Ed. These products, by the way, are DOS emulation boxes for i386
based UNIX and XENIX products.]
------------------------------
Date: Wed, 15 Nov 89 12:53:57 -0800
From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM
Subject: Known PC Virus List
The following list was put together by John McAfee. The naming
conventions follow the ViruScan conventions. Many thanks to David Chess
for the concept for the list's format.
VIRUS CHARACTERISTICS LIST
Copyright 1989, McAfee Associates
408 988 3832
The following list outlines the critical characteristics of the known
IBM PC and compatible viruses. Comments and suggestions welcomed.
==========================================================================]
Infects Fixed Disk Partition Table-------------+
Infects Fixed Disk Boot Sector---------------+ |
Infects Floppy Diskette Boot --------------+ | |
Infects Overlay Files--------------------+ | | |
Infects EXE Files----------------------+ | | | |
Infects COM files--------------------+ | | | | |
Infects COMMAND.COM----------------+ | | | | | |
Virus Remains Resident-----------+ | | | | | | |
Virus Uses Self-Encryption-----+ | | | | | | | |
| | | | | | | | |
| | | | | | | | | Increase in
| | | | | | | | | Infected
| | | | | | | | | Program's
| | | | | | | | | Size
| | | | | | | | | |
| | | | | | | | | |
Virus V V V V V V V V V V Damage
- --------------------------------------------------------------------------
Do-Nothing . . . x . . . . . 608 p
Sunday . x . x x x . . . 1636 O,P
Lisbon . . . x . . . . . 648 P
Typo/Fumble . x . x . . . . . 867 O,P
Dbase . x . x . . . . . 1864 D,O,P
Ghost Boot Version . x . . . . x x . N/A B,O
Ghost COM Version . . . x . . . . . 2351 B,P
New Jerusalem . x . x x x . . . 1808 O,P
Alabama . x . . x . . . . 1560 O,P,L
Yankee Doodle . x . x x . . . . 2885 O,P
2930 . x . x x . . . . 2930 P
Ashar . x . . . . x . . N/A B
AIDS . . . x . . . . . Overwrites Program
Disk Killer . x . . . . x x . N/A B,O,P,D,F
1536/Zero Bug . x . x . . . . . 1536 O,P
MIX1 . x . . x . . . . 1618 O,P
Dark Avenger . x x x x x . . . 1800 O,P,L
3551/Syslock x . . x x . . . . 3551 P,D
VACSINA . x . x x x . . . 1206 O,P
Ohio . x . . . . x . . N/A B
Typo (Boot Virus) . x . . . . x x . N/A O,B
Swap/Israeli Boot . x . . . . x . . N/A B
1514/Datacrime II x . . x x . . . . 1514 P,F
Icelandic II . x . . x . . . . 661 O,P
Pentagon . . . . . . x . . N/A B
3066/Traceback . x . x x . . . . 3066 P
1168/Datacrime-B x . . x . . . . . 1168 P,F
Icelandic . x . . x . . . . 642 O,P
Saratoga . x . . x . . . . 632 O,P
405 . . . x . . . . . Overwrites Program
1704 Format x x . x . . . . . 1704 O,P,F
Fu Manchu . x . x x x . . . 2086 O,P
1280/Datacrime x . . x . . . . . 1280 P,F
1701/Cascade x x . x . . . . . 1701 O,P
1704/CASCADE-B x x . x . . . . . 1704 O,P
Stoned/Marijuana . x . . . . x . x N/A O,B,L
1704/CASCADE x x . x . . . . . 1704 O,P
Ping Pong-B . x . . . . x x . N/A O,B
Den Zuk . x . . . . x . . N/A O,B
Ping Pong . x . . . . x . . N/A O,B
Vienna-B . . . x . . . . . 648 P
Lehigh . x x . . . . . . Overwrites P,F
Vienna/648 . . . x . . . . . 648 P
Jerusalem-B . x . x x x . . . 1808 O,P
Yale/Alameda . x . . . . x . . N/A B
Friday 13th COM Virus . . . x . . . . . 512 P
Jerusalem . x . x x x . . . 1808 O,P
SURIV03 . x . x x x . . . O,P
SURIV02 . x . . x . . . . 1488 O,P
SURIV01 . x . x . . . . . 897 O,P
Pakistani Brain . x . . . . x . . N/A B
Legend:
Damage Fields - B - Corrupts or overwrites Boot Sector
O - Affects system run-time operation
P - Corrupts program or overlay files
D - Corrupts data files
F - Formats or erases all/part of disk
L - Directly or indirectly corrupts file linkage
Size Increase - The length, in bytes, by which an infected
program or overlay file will increase
Characteristics - x - Yes
. - No
------------------------------
Date: 16 Nov 89 01:02:36 -0500
From: Bob Bosen <71435.1777@CompuServe.COM>
Subject: Signature Programs
As a member of the American National Standards Institute's (ANSI) X9E9
working group and an active participant in standards activities
regarding computer security and authentication, I have been reading
the various comments on "Checksum" programs with a lot of interest
ever since this forum became accessible to me about 2 weeks ago. If
the comments which follow are way off-base, please forgive my newness
to the forum; perhaps these things have been discussed in the less
recent past....
I've been surprised at the lack of content regarding sophisticated
authentication algorithms. In this forum of late,I've been reading
about checksums and CRCs but I haven't heard any mention of ANSI X9.9
or ISO 8731-2, which are both extremely relevant standards. Both of
these authentication algorithms have served the international banking
community well, having been used for years to secure billions of
dollars worth of daily wire-funds transfers without a single verified
case of compromise.
Checksum programs work by attempting to "authenticate" a program or
file by calculating a number, based upon the content of the file. That
number serves as a digital "signature" reflecting the exact status of
the file at the moment when the calculation was made. Unfortunately,
authentication in hostile environments is not a trivial subject, and
has been shown to be susceptible to forgery and compromise.
Furthermore, as Paul Kerchen and Y. Radai have recently commented,
very serious attention must be paid to exactly where the signatures
(and any component parts critical to their calculation) are stored.
In my opinion, if properly implemented, signature programs have the
potential for being much more useful than "scanners" (or any other
known anti-viral technique) in most instances, since they don't
require any foreknowledge about the viruses which may attack in the
future.
Relying on simplistic algorithms to calculate these signatures suffers
from an obvious disadvantage: Future viruses can compensate for the
way the signature is calculated, or forge signatures that appear to be
valid. Relying on supposedly "secret, proprietary" algorithms is very
risky: the annals of cryptography are littered with the bones of
algorithms that couldn't withstand the scrutiny of dedicated
adversaries. If the history of algorithmic research can teach us
anything, it is that we shouldn't trust any cryptographic algorithms
unless they've been examined by a very large population of experts.
There is a developing science of "authentication technology" that is
revealing important facts about the kinds of algorithms that can be
relied upon to resist the scrutiny of adversaries. It's amazing how
many people are unaware of these things, and it's DANGEROUS to base
virus detection products on insecure algorithms. As this knowledge
grows and becomes more easily available to the people that write
viruses, commercial vendors of virus detection programs will be forced
to learn about this stuff the hard way.
The American Bankers Association, in cooperation with the American
National Standards Institute, (with representation from NSA, NIST,
Federal Reserve, the Vendor community, etc.) and the International
Standards Organization have endorsed standardized ways of calculating
digital signatures. There are powerful ways of using these respected,
standardized algorithms in the reliable detection of viral
contamination. It's complex and expensive to put together a practical
implementation, but once it's done it can provide a very reliable
first line of defense that won't need 49 different revisions per year
to keep up with identified threats.
By the way, for those of you that are wondering if performance will
suffer, the answer is that it need NOT suffer. Certainly,
unsophisticated implementations might turn out to be abysmally slow,
but it is quite possible and practical, with careful design and
implementation, to adapt combinations of these standards to the IBM PC
world, for example, in a way that users hardly notice. Practical
defenses based on ANSI X9.9, for example, can now authenticate a 100K
file in 3.2 seconds on an IBM "AT"-class machine running at 10 Mhz
without any extra hardware or fancy disk drives. This is best done by
applying a judicious combination of DES encryption with CRC techniques
on a random sampling of file contents, rippling the cryptographic
residue through the entire calculation with a technique that crypto
people call "cipher-block chaining". Furthermore, files don't need to
be checked every single time they are used, so these modest delays
need not occur more than a few times per month per file.
While I'm rambling on, I can't resist the urge to comment on a related
subject. Paul Kerchen writes:
> where does one store these checksums and their keys? if they
> are stored on disk, they are vulnerable to attack....
and Y. Radai comments on "static" versus "dynamic" invocation of
signature calculation, leading to discussion of the various advantages
and disadvantages of storing keys and signatures (and maybe even
protection logic) on an active hard disk versus off-line storage on a
diskette.
In my experience, all of these viewpoints have advantages and
disadvantages, and a sophisticated defense must allow users to pick
and choose from all of these techniques according to his own needs. A
heirarchy of interlocking defenses must be put together, with "dialy"
or "dynamic" (continuous but random) checks acting as the first line
of defense based on an active hard disk, and with periodic (weekly or
monthly) off-line checks based on a "sterile kernel" stored on a
bootable diskette that's kept locked up when not in use. In essence,
the monthly checkup from the sterile kernel checks up on the defenses
that've been exposed to viruses in the "dirty" world....
So how 'bout it? Anybody against using respected industry standard
authentication algorithms? Anybody got a better idea?
(By the way, my comments should not be construed to represent any
official viewpoints of the American National Standards Institute. I'm
just a member of the working group....)
Bob Bosen
Vice President
Enigma Logic, Inc.
2151 Salvio Street #301
Concord, CA 94565
Tel: (415) 827-5707
Internet: 71435.1777@COMPUSERVE.COM
------------------------------
Date: 15 Nov 89 05:46:55 +0000
From: Bill.Weston@f12.n376.z1.FIDONET.ORG (Bill Weston)
Subject: XTREE virus clarification... (PC)
Just goes to show what I get for typing before reading.. (I should
have recognized the "Stoned" virus...
XTREE.EXE *MAY* be a vector, however a more likely candidate is a,
pirated I suspect, version of Norton Utilities. (I guess he got what
he paid for..) Like I said, he is very new to the MS-DOS community
and really did not know the Norton Utils from Sub-Hunter...
We sterilized his drive and isolated the infected disks. However, I
would still like to know if anyone has a "CURE" program for it..
Bill Weston == ...!usceast!uscacm!12!Bill.Weston
------------------------------
Date: 15 Nov 89 02:21:24 +0000
From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath)
Subject: Re: Sophisticated Viruses
krvw@SEI.CMU.EDU (Kenneth R. van Wyk) writes:
}WHMurray@DOCKMASTER.ARPA writes:
}
}>> ...in part because writing a virus that no one notices is not any
}>> fun. If no one notices, then it is not possible to know about
}>> propagation or survival. What fun is that?
}
}There's an important distinction to be made here - detection during
}propagation vs. detection after (presumably) successful propagation.
}A virus could well attempt to conceal its existence while propagating,
}and then do quite the opposite (!) during a destructive phase. No one
}would notice until it would be too late.
Here's another scary thought. All the viruses I've heard of so far
appear to be the work of malicious amateurs. I can think of
motivations that might inspire a professional:
An unfriendly government wants to cause dislocation in the United
States. It commissions a difficult to detect virus that spends 5
years propagating, then wipes the hard disks of every machine it's
on, without warning or explanation.
A spy puts out a sophisticated virus that does no damage. It just
looks for modems on serial ports and sends what looks like sensitive
information to a central collection point. (What sort of information?
How about comm program macro files containing account IDs and
passwords?)
I'm sure you can think of other scenarios. So can "they", whoever
"they" are.
The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimis non
Citicorp(+)TTI Carborundum
3100 Ocean Park Blvd. (213) 452-9191, x2483
Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253