home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.263
< prev
next >
Wrap
Text File
|
1995-01-03
|
17KB
|
387 lines
VIRUS-L Digest Tuesday, 19 Dec 1989 Volume 2 : Issue 263
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
Re: Use of Digital Signatures
SCAN Update for AIDS Trojan (PC)
Source for virus detction programs (PC)
WDef and Gatekeeper Aid.
New/Old(?) Possible Virus (PC)
AIDS TROJAN RESEARCH
Re: AIDS Trojan (PC)
Aids cures (PC)
---------------------------------------------------------------------------
Date: Mon, 18 Dec 89 14:20:55 +0200
From: Y. Radai <RADAI1@HBUNOS.BITNET>
Subject: Re: Use of Digital Signatures
When I submitted my contribution on Signature Programs (Issue 256) I
wouldn't have been surprised to be criticized for something I wrote,
but I hardly expected to be criticized for something I *didn't* write!
According to William Murray (#257),
> The insistence of Mr. Radai et. al. that,
>since it is possible to detect and bypass any control, that all is
>futile does not stand up. ....
>It is time to stop condemning the useful out of hand. Those who insist
>upon doing so are contributing to the problem rather than the solution.
Just where, Mr. Murray, did you find in anything which I wrote, that
I "insist" that "all is futile" or that I "condemn the useful"??? I
never said anything remotely resembling these things. The point I was
making was: Security of the algorithm is not enough; what's important
is the security of the implementing program. Where's the futility in
that?
Well, maybe Mr. Murray thinks that these conclusions are somehow
implied by the position that it's possible to detect and bypass any
control. (Actually, I never said even *that*, but for sake of argu-
ment, let's suppose that I did.) Just how is that supposed to imply
that all is futile?? My actual opinion is quite the opposite: it's
that even if we can't create a perfect checksum or other anti-viral
program, we should make an effort to think of all possible holes in
the system, and the more we block, the better. There is absolutely no
implication of futility or condemnation of the useful either here or
in my original posting. In the future, Mr. Murray, please try to read
more carefully before attributing positions to others.
There were also some peculiar claims in the paragraph following Mr.
Murray's opening line "I suspect that Y. Radai misses the point of Bob
Bosen's posting." However, I'll leave it to Bob himself to decide
which of us missed the point of his posting, Mr. Murray or me ....
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI1@HBUNOS.BITNET
P.S. I have not been receiving Virus-L regularly for the last cou-
ple of months. If there have been more recent (and hopefully more re-
levant!) replies to my posting which call for an answer from me,
please be patient.
------------------------------
Date: Sun, 17 Dec 89 13:53:12 -0800
From: Alan_J_Roberts@cup.portal.com
Subject: SCAN Update for AIDS Trojan (PC)
Forwarded for John McAfee:
Even though the AIDS Trojan is not a true virus, the
widespread mailings of the diskette have created a high probability
that we will see continuing problems from this logic bomb.
Accordingly, I have updated SCAN (V52) to detect the installed hidden
logic bomb, and SCANRES (V52) will prevent the diskette's INSTALL
program from installing the time bomb to begin with.
John McAfee
------------------------------
Date: 18 Dec 89 15:15:41 +0000
From: attcan!ram@uunet.UU.NET (Richard Meesters)
Subject: Source for virus detction programs (PC)
Hi all,
I'm looking for a source for public-domain PC virus protection/detection
programs, preferrably in the Toronto area.
If anyone has a number I can call, please respond via e-mail
Regards,
Richard Meesters
------------------------------
Date: Mon, 18 Dec 89 12:16:09 -0500
From: "Gregory E. Gilbert" <C0195@UNIVSCVM.BITNET>
Subject: WDef and Gatekeeper Aid.
I booted some Macs with Gatekeeper Aid installed this AM. I was
immediately presented with a rather sharp looking dialog announcing
that the "Implied Loader ABDS" virus(?) was found and removed.
Is this the Wdef virus? If so, why not call it such AND what is an
"Implied Loader ABDS". Of course, if this is Wdef you can add the
University of South Carolina to the list of where the virus has
spread. If not I apologize to Chris Johnson and all subscriber's for
my ignorance (it has been peaking lately!).
Greg
Postal address: Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>
------------------------------
Date: Mon, 18 Dec 89 13:02:41 -0500
From: Arthur Gutowski <AGUTOWS@WAYNEST1.BITNET>
Subject: New/Old(?) Possible Virus (PC)
Someone here at Wayne State just sent me a note about some strange
symptoms he's been having. Can anyone out there verify if this is
indeed a virus, and if so which one? Here's the info I have
(emphasis mine):
"Here's what I know. I *believe* that a disgruntled staff member *may*
have put the virus into my computer directly since the same problem
occurred six months ago to another administrator in the library. He
had a student computer expert solve the problem, but this student is
no longer with us.
"I have an IBM XT with 640 and a 20meg hard drive. I've had SCANRES
(Ed.v39) on the system since October 11. The infection got in since
then. SCANRES says that the system is clean. I examined the AUTOEXEC
and CONFIG.SYS files. They look clean to me. Problems so far include:
WordPerfect 4.2: The cursor keys add extra random characters such as a
'z' or 'k'. I also got the message 'ARSOLE' and the system then locked
up from another cursor key sequence. DESKTOP in PCTOOLS. The
calculator locked up. I had to do a cold reboot.
"I replaced my base files with the SYS command on Friday and haven't
noticed any problems yet, but the problems that I described above are
extremely intermittent."
Please reply to me, and I'll post a follow-up later.
Thanks,
Art
Arthur J. Gutowski /=====\
Antiviral Group / Tech Support / WSU University Computing Center : o o :
5925 Woodward; Detroit MI 48202; PH#: (313) 577-0718 : :
Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET : ----- :
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \=====/
Have a day.
------------------------------
Date: Sun, 17 Dec 89 17:54:00 -0500
From: IA96000 <IA96@PACE.BITNET>
Subject: AIDS TROJAN RESEARCH
I have been asked to pass this message along to VIRUS-L and VALERT-L
by the fine people at SWE who have been hard at work researching the
AIDS problem. I pass this message along unmodified exactly as it was
received from SWE.
AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989
First, let us say for the record that everything reported so far by
Mr. McAfee is correct. Our tests bear out the results he has obtained.
Having followed the messages and updates so far, and after conducting
extensive tests, SWE has no doubt that there is more than one version
of the "trojan" disk in circulation. In certain aspects, the two AIDS
"trojan" disks we are testing act differently. One has a counter in it
and one activates on the first re-boot!
SWE has been working 24 hours a day since we received a copies of the
AIDS disks. Let me clarify that statement. We did not receive these in
the mail directly from the "trojan" authors. We received our copies
from two of our clients.
The suspicion that some form of encryption is being used is accurate.
The versions of the disks we tested checks the following criteria:
1) The version of DOS in use. Both major and minor numbers are used.
The major number would be 3 and the minor number would .30 in
DOS version 3.30.
2) The file length, date and time stamp of certain files are checked.
3) The amount of total disk space and free disk space are checked.
These three items are then combined and processed into the "initial"
encryption key.
A form of public key encryption is then used to perform the actual
encryption. This was determined by the brute force decryption method.
SWE has several 80486's and access to a VAX and they were put to work
decrypting the files. It was made easier by the fact that the original
contents of the test disk were known. One nasty little trick the AIDS
"trojan" uses is that after each file is encrypted the encryption key
is modified slightly.
Fortunately, the authors did not use a long encryption key. Files
encrypted using the public key protocol become harder to decipher as
the length of the encryption key increases. Government studies
indicate that a file encrypted using this protocol, with a 200 digit
key could take as long as ten (10) years to decrypt, if you devoted a
CRAY exclusively to the problem!
SWE first suspected and tested for the public key encryption method
for several reasons. The major reason was the lack of access people
outside of the United States would have to the DES encryption formula.
For those not aware, the U.S. Government guards the DES formula, and
software which makes use of this formula may not be exported out of
the United States. Should it turn out that the DES formula was also
used, the authors of the AIDS "trojan", could possibly be prosecuted
under United States statutes pertaining to national security.
The second reason deals with the DES encryption method. Students of
cryptology are well aware that the DES formula has been considered
vulnerable for some time now. It is also a well know fact that DES
specific processors have been produced, which make "cracking" a DES
encrypted file much easier than the public key method. The DES method
also limits to a greater degree the length of the encryption key.
Combining these two reasons along with the extraordinary expense the
authors of the AIDS "trojan" went to, we guessed that they would also
use a "first class" encryption method.
It also makes sense from another point of view. Since the "trojan"
authors have gone to great care and expense, it seems prudent they
would not want to use an encryption method which could easily be
copied and distributed as a "master" cure all. Public key encryption
is perfect in this regard. Many different versions of DOS are now
in use, and depending upon the version of DOS in use and other factors
the "trojan" checks for, the decryption methods which must be used
will vary for different "trashed" disks.
This is not to say that other copies of the AIDS "trojan" will use
this same encryption method, or create the encryption keys in the same
manner. That is yet to be determined!
Once we were able to decipher one file, it was a relatively simple
matter to decipher the rest. We have been able to completely restore a
disk trashed by the version of AIDS "trojan".
SWE went about this research in a different manner than everyone else.
We have not reverse engineered the "trojans" to any great extent, nor
do we plan to do so. This is best left to Mr. McAfee and the other
experts.
It is our considered opinion that Quick Basic along with several
machine language modules were used to develop these "trojans". Reverse
engineering a Quick Basic program along with the libraries included at
link time produces huge amounts of code.
As far as releasing the "fixes", not enough is yet known by SWE to be
able to provide a substantial program. We need more information about
how many versions of the AIDS "trojan" are in circulation, as well as
samples of these for study. SWE has no intention of publicly releasing
a "fix" at this time or in the future.
It is our opinion that the best course SWE can take is to share our
knowledge with others who have the knowledge and experience to take
what we learned and investigate further.
To that end, SWE is willing to forget past differences with a specific
company and share our files as well as the "fixes" and our knowledge
on cryptology with them, for the good of the computing community. If
they are interested, leave a public message on your BBS in the virus
SIG. Some type of agreement can be reached if you are interested in
doing so!
The opinions and statements expressed herein are those of SWE. These
are based on research done on two copies of the AIDS "trojan" disk we
have tested. Findings produced by other people working on this problem
may agree, vary, or contradict our findings. So be it! SWE is not
competing with anyone else working on this problem. We present this
information solely to acquaint the computing community on the details
we have discovered so far.
The information contained in the message above was supplied by the
people at SWE, who have postponed their vacation closing to conduct
research into the AIDS problem.
It is my opinion that everyone should band together on this one! The
AIDS disk seems to be very complicated and it will probably take the
combined knowledge of everyone working on this disaster to come up
with a solution.
------------------------------
Date: 18 Dec 89 19:07:43 +0000
From: Ralph Mitchell <Ralph.Mitchell@brunel.ac.uk>
Subject: Re: AIDS Trojan (PC)
dmg@retina.mitre.org (David Gursky) writes:
>The AIDS Trojan Horse discussed by Alan Jay and John McAfee raises some
>interesting questions about accountability.
>[...]
>In the broader case, could the perpetrators be extradicted to one of
>the European countries that have better relations with Panama, and be
>held liable for damages even though the license says not to use the
>application without first paying for it.
There is no actual address on the documentation that comes with the disk.
The only way to find out where to send the money is by running the install
program, thought it doesn't even say that in the notes... Of course, by
that time, it is firmly ensconced on your hard disk...
Ralph Mitchell
- --
JANET: ralph@uk.ac.brunel.cc ARPA: ralph%cc.brunel.ac.uk@cwi.nl
UUCP: ...ukc!cc.brunel!ralph PHONE: +44 895 74000 x2561
"There's so many different worlds, so many different Suns" - Dire Straits
"Never underestimate the power of human stupidity" - Salvor Hardin, Foundation
------------------------------
Date: Sun, 17 Dec 89 21:14:50 -0500
From: Christoph Fischer <RY15@DKAUNI11.BITNET>
Subject: Aids cures (PC)
A I D S - D I S C E T T E
===========================
Dr. Solomon and I just had a phone conversation on possible cures for
the affects of the AIDS disc.
In STAGE ONE
(the disc has been installed but the filenames are not encrypted)
Several hidden directories, a file REM.EXE, and an altered AUTOEXEC.BAT
have been installed. Some sources suggest removing these directories,
the added files, and restoring the original AUTOEXEC.BAT will cure all
effects of STAGE ONE.
Because of the uncertainty what else the program does, people who want
maximum security are advised to copy the files to diskettes after the
above procedure. Low-level format the discs and restore all programs
and data.
Dr. Solomon and I are not sure that all discs behave the same way.
Our samples don't touch harddiscs higher than C: (D:, E:, ...) but there
are reports of discs that do! (maybe just rumors?)
STAGE TWO is entered after 90 executions of the AUTOEXEC.BAT with our
samples but there are victims that claim that their version of the
software skips STAGE ONE.
In STAGE TWO the program encrypts the filenames and alters other things.
A mockup is started after reboot from the harddisc that gives you a
correct directory listing plus an added comment that the lease of the
CYBORG software has expired.
In this stage the disc contense appears to be useless.
Dr. Solomon was the first to discover a principle behind the encryption
and is working on a program to recover the original filenames.
We both think that this mechanism should only be used to backup all
data of an infected disc. A LOW-LEVEL format of the harddisc and
reinstallation of programs and data are the safest means to remove
all affects.
Sincerely Chris Fischer (University of Karlsruhe, West-Germany)
and Dr. Alan Solomon (S&S Enterprises, Chesham, Bucks, Great-Britain)
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253