home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.266
< prev
next >
Wrap
Text File
|
1995-01-03
|
26KB
|
581 lines
VIRUS-L Digest Thursday, 21 Dec 1989 Volume 2 : Issue 266
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
Today's Topics:
AIDS Fix - phone no.
Trojan AIDS: the AIDS program (PC)
Re: AIDS disk (PC)
AIDS Information Disk Technical Analysis available
Re: Gatekeeper and Gatekeeper Aid (Mac)
Holiday VIRUS-L/comp.virus interruption
Authentication
Invisible INITs - Don't (Mac)
Re: Gatekeeper and Gatekeeper Aid (Mac)
Artificial Life Workshop - final announcement!
Another AIDS disk recipient (PC)
Flu virus (PC)
---------------------------------------------------------------------------
Date: 20 Dec 89 17:07:18 +0000
From: G.Toal@edinburgh.ac.uk
Subject: AIDS Fix - phone no.
The following has been sent to me for forwarding. The AIDS disk that my
colleague received was 2.00 and arrived when all the others did. I have
no other information about the AIDS Version 1.0 diskette.
Sam Wilson
Network Planning, Edinburgh University Computing Service
- --- Forwarded message:
Subject: AIDS Fix - phone no.
From: G.Toal @ uk.ac.edinburgh
Date: 20 Dec 89 16:00:54 gmt
>From Frank J Leonhardt. fjl@cix aka uab1018@dircon.UUCP
Here is some information about the Aids disc, gleaned from research
done in London, which, judging from messages taken from the network
and passed on to me from the Edinburgh Virus BB, you may not be aware of.
There are indeed two versions of the disc. There were a few, sent out
about a month ago, labelled as version 1.0. Most of them are labelled
2.0. The two versions are different.
There is a complete fix program available, which will totally un-
scramble you disc even if the trojan has done it's stuff. Not easy
when you consider how the encryption key was made up (i.e. out of free
memory, date, MS-DOS version and so on). If you need this program you
can get hold of it by 'phoning 01-831 9252 (PCBW offices) and ask for
it. PCBW can also be found in the basement of 99 Grey's Inn Road,
London, and would love some more copies of the discs, especially
version 1.0.
The program to restore a smashed disc is called CLEARAIDS and will
soon be available on "cix" in the conference "virus/files". CIX is a
commercial system which us poor non-academics have to use instead of
Janet. <hint!> [OK Frank - I'll get you an ID. GToal]
Thanks for gtoal@uk.ac.ed for getting stuff on and off Janet for this.
Frank J Leonhardt. fjl@cix aka uab1018@dircon.UUCP
- --- End of forwarded message
------------------------------
Date: 20 Dec 89 16:36:00 +0100
From: Klaus Brunnstein <brunnstein@rz.informatik.uni-hamburg.dbp.de>
Subject: Trojan AIDS: the AIDS program (PC)
The AIDS diskette contains 2 programs,
INSTALL.EXE 146.188 Bytes 9-28-89 4:28p
AIDS. EXE 172.562 Bytes 8-07-89 10:28p
the first of which is described by J.McAfee and others (INSTALL.EXE and it's
installed versions REM,SHARE) in VIRUS-L; this is the Trojan horse.
The AIDS-program itself contains a question/answering session with AIDS-
related question, where a `risk' (on 7 levels) is computed for the specific
answers. While most other groups are analysing the INSTALLed Trojan horse,
one group at Virus Test Center Hamburg actually analyses the AIDS program.
We have run several sessions, and we regard the program as *not very
intelligent* from the Informatics standpoint, and *not highly reliable*
from the medical standpoint (we will prove this with some medical experts; we
received 4 copies from specialists in immunology, and 3 more copies from
banks etc).
The AIDS program works rather linearly; the dialogue is done with simple
multiple choices, where the 1st option is alwys HELP-text. If you analyse the
HELP texts, they are not very specific (many of them may have been generated
from an ordinary lexikon). In section 1, BACKGROUND INFORMATION is gathered,
e.g. residence country, sex, age (in 9 clusters), ancestors origin continent,
sexual behaviour (heterosexual, no sexual experience, homosexual or bisexual),
and number of sex partners since 1980 (in 8 clusters from 0 to 100+)are asked.
In section 2, MEDICAL HISTORY is examined, e.g. how many blood transfusions
since 1980, active tuberculosis, drug injection, sexually transmitted
diseases, sexual habits (use of condom..). For some positive answers,
there may be additional details asked for. No mechanism is visible whcih
safeguards the extensive personal data; on the other side, no data are
gathered which may be used to authenticate a person and relate their name
with the data gathered.
After an evaluation procedure (less than 1 minute on an AT), `you' are
assigned to one of seven Levels of AIDS Risk (`no risk, very low risk,
low risk, medium risk, high risk, very high risk, extremely high risk).
Depending on the list of answers, a PERSONAL ADVICE is given, e.g. stating
`Your risk of exposure to the AIDS virus is low but presently increasing..',
suggesting to use condoms, etc. Finally, you are asked to input YOUR
COMMENTS (`Use the computer like a typewriter. Type anything that comes to
your mind ... The computer will then analyze your remarks and respond to you
with further comments..'). The answers are rather unspecific.
Based on some experiments (with more systematic testing to be done
after having reverse-engineered the code), my best estimation is, that
the question-answering is done in typical BASIC style, and that the
risk evaluation function is only very rudimentary (we received a 'low
risk' for a young female drug addict). The personal advice seems to be
programmed from a few types of answers, and the analysis of Your
Comments fails with even simple, AIDS-related questions.
The 'loose' relation between INSTALL/REM/SHARE and AIDS (probably influencing
the catastrophic counter, evidently initialised at 90 and decremented during
bootup) will very probably allow to use the INSTALL process also *in connection
with other 'interesting programs'*. With so may diskettes distributed, we may
face similar (and maybe more serious) threats. I therefore appreciate
J.McAfee's remark that he has included his ANTI-Trojan in his ANTIVIRUS tool.
Though mixing up an Antivirus Tool with Anti-Trojan functions may produce
new problems (e.g. misunderstanding the respective threats and the limitations
of such tools), I suggest that also other antivirus tools should contain a
diagnostic featrue for Trojan AIDS.
Evaluating the given situation, I conclude that the business procedure (the
e.g. distribution of diskettes) was professional, and that the Trojan horses
mechanisms were rather intelligent, though some parts of the INSTALL/REM/SHARE
are primitively linear programmed, e.g. the `encryption' part. The AIDS
program is of neither good programming nor medical standard.
Klaus Brunnstein
- -----------------------------------------------------------------------
PostAdress: Prof.Dr. Klaus Brunnstein
Faculty for Informatics, Univ.Hamburg
Schlueterstr.70
D 2000 Hamburg 13
Tel: (40) 4123-4158 / -4162 Secr.
ElMailAdr: Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de
FromINTERNET:Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@Relay.CS.Net
FromBITNET: Brunnstein%RZ.Informatik.Uni-Hamburg.dbp.de@DFNGate.Bitnet
FromUUCP: brunnstein%rz.informatik.uni-hamburg.dbp.de@unido.uucp
- -----------------------------------------------------------------------
------------------------------
Date: Wed, 20 Dec 89 18:33:56 +0000
From: Phil OKunewick <okunewck@psuvax1.cs.psu.edu>
Subject: Re: AIDS disk (PC)
attcan!ram@uunet.UU.NET (Richard Meesters) writes:
>martin@EASBY.DURHAM.AC.UK (Martin Ward) writes:
>> I feel that I should point out that the effects of this disk are
>> entirely in accordance with the standard warrenty used by most
>> commercial software developers...
>
>...Warranty implies that the
>product was purchased and you are following the terms of the purchase
>agreement. The trojan runs for a time and then demands that you pay
>for the product...
> ...kidnaps your data and holds it for ransom.
>
>Illegal, or at least extremely Immoral (presumably the former).
Illegal in the United States, which may be why they didn't try to
spread it here.
According to the regulations of the U.S. Postal Service, if you
receive something through the mail which you have not ordered, then
you automatically own it.
If this were not enforced, then many of these annoying organizations
that send us ads for junk products would instead be sending us the junk
products, along with a bill for their trash.
Does the U.K. have a similar law?
- --
---Phil
(erutangis. ruoy naht daer ot redrah si erutangis. yM)
------------------------------
Date: Mon, 18 Dec 89 11:14:02 +0000
From: Alan Jay <alanj@IBMPCUG.CO.UK>
Subject: AIDS Information Disk Technical Analysis available
The following Article was submitted by Alan Solomon for distribution
on CONNECT and USENET. It relates to the AIDS Information Disk and
gives extensive technical details of the disk and the AIDS program.
This article is 1800 lines long.
Dr Alan Solomon is Chairman of the IBM PC User Group, London.
Alan Jay -- The IBM PC User Group -- PO Box 360, HARROW HA1 4LQ -- 01-863 1191
[Ed. Due to its length, the document has been forwarded to the
comp.virus documentation archive sites.]
------------------------------
Date: Wed, 20 Dec 89 16:30:16 -0500
From: dmg%retina.mitre.org@IBM1.CC.Lehigh.Edu (David Gursky)
Subject: Re: Gatekeeper and Gatekeeper Aid (Mac)
In VIRUS-L Digest V2 #265, "Carl_A.Fassbender" <YOOPER@MSU.BITNET> was
asking why the Gatekeeper & Gatekeeper Aid icon did not show up after
he made the files invisible.
The Mac OS does not load INITs that are part of files with the
Invisible bit set. [Editorial comment: Hey Apple! Why?????] If you
want to have Gatekeeper active, you must have the file visible on the
desktop.
------------------------------
Date: Wed, 20 Dec 89 16:26:53 -0500
From: Kenneth R. van Wyk <krvw@SEI.CMU.EDU>
Subject: Holiday VIRUS-L/comp.virus interruption
With the Holiday season approaching, VIRUS-L/comp.virus will be rather
intermittent during the next week. I will be in the office until
Friday, December 22 and out for the entire next week. However, I will
be logging in from home periodically and sending out the occasional
digest (as demand dictates).
Remember that urgent messages, as always, can be sent to
VALERT-L@IBM1.CC.LEHIGH.EDU. Please do not use VALERT-L for
discussion - VALERT-L was created due to requests from people who wish
to keep up with virus activity only, not discussions. All followup
and subsequent discussions should be sent to VIRUS-L/comp.virus.
Also, the Computer Emergency Response Team (CERT) can be reached via
email (monitored daily) at cert@sei.cmu.edu or (for more urgent
problems) at 24 hours a day at (412) 268-7090 for Internet related
security incidents.
Holiday Cheers and Best Wishes to all!
Ken
Kenneth R. van Wyk
Moderator VIRUS-L/comp.virus
Technical Coordinator, Computer Emergency Response Team
Software Engineering Institute
Carnegie Mellon University
krvw@SEI.CMU.EDU
(412) 268-7090 (24 hour hotline)
------------------------------
Date: Wed, 20 Dec 00 19:89:52 +0000
From: greenber@utoday.UU.NET (Ross M. Greenberg)
Subject: Authentication
Bob Bosen, of Enigma, comments in VL V2#265 further about the need for
X9.9 as the level of sophistication required of an authentication
scheme.
I'm not sure he's right. Let's look at two different usages for
authentication schemes: one, to determine if a program is what you
expect it to be during a "global" scan, one to determine if the
program is what you expect it to be immediately before it is run.
A subset of the second portion above is whether a program can contain
a self-checker -- a portion that checks itself when it is run. I
propose that self-checkers, while useful, are meaningless: by the time
a self-checker's checking code is run, the virus or trojan's damage is
already done. Additionally, what prevents the virus/trojan from
removing itself from the host file and/or memory before the
self-checker runs? Therefore, self-checking programs are not realy
worthy of further comment.
Case 1, above, when a scanning program checks a file's signature
against a supposed signature is good stuff. Yet, you must prepare
yourself for a long initial time to build the original authentication
database -- the more complex the scheme, the longer such a check will
take. There's a commercial anti-virus program out there already that
does some sort of authentication check on every executable on your
disk (PC-based). On a full disk, it can take something like three
hours to run on an XT machine. X9.9 might be a good approach, but if
it takes even that longer and not longer, you simply won;t get people
using it -- regardless of how wonderful it is. If I have to run such
a beast each morning, I'll pass. I think most commercial users would
bypass a long wait -- they do, after all, have some work to do.
What about a checker that checks only that a file you're about to run
is what you expect, then? This *may* be worthy of comment (heck, my
own code does that! :-) ), but it depends on how long it takes. If it
takes me ten minutes to load Word Perfect on my trusty 4.77MHz, run
asophisticated authentication check against it and then finally get to
run it, well, my boss is not going to be too happy. So, the more
sophisticated the algorithm, the less likely it is to be used. I know
this from my own beta testers for a new release of my own product:
they felt that the more sophisticated checker, although nice and more
trustworthy, simply took too long to run. Given a choice, and they
make their choices known with their payments, they opt for one that's
"good enough".
What's a programmer to do, then? My suggestion is easy: forget those
who claim that sophisticated checkers are what we need -- they may be
right, but there are many drawbacks to them, and we all still have
work to do! Forget those who claim that their solution is the only
solution. But, I'd rather have two unrelated and unsophisticated
algorithms that the "bad guy" knows nothing about, then one
"unbeatable" algorithm that goes unused.
Since there are umpteen different ways that such checkers could be
written, the odds of two such routines generating the same results
given a change in the source is pretty darned small. And, if you're
still in doubt, then run a third or forth or 20th checker.....
Ross M. Greenberg
Ross M. Greenberg, Technology Editor, UNIX Today! greenber@utoday.UUCP
594 Third Avenue, New York, New York, 10016
Voice:(212)-889-6431 BIX: greenber MCI: greenber CIS: 72461,3212
To subscribe, send mail to circ@utoday.UUCP with "Subject: Request"
------------------------------
Date: Wed, 20 Dec 89 16:51:15 -0500
From: Joe McMahon <XRJDM@SCFVM.BITNET>
Subject: Invisible INITs - Don't (Mac)
Any file which is invisible will not bec checked for INIT resources.
This means that GateKeeper and GateKeeper Aid are *not working*
because they have not gotten to install their hooks.
System 6.0.2 (I think) was the first System to add this check to the INIT
mechanism; this was done to help combat the Scores virus's famous invisible
"Desktop" and "Scores" files, which contained INITs.
Summary: Make INITs and cdev's invisible, and any INITs they install won't
work.
--- Joe M.
------------------------------
Date: 20 Dec 89 22:34:09 +0000
From: coherent!dplatt@ames.arc.nasa.gov (Dave Platt)
Subject: Re: Gatekeeper and Gatekeeper Aid (Mac)
YOOPER@MSU.BITNET (Carl_A.Fassbender) writes:
> In Michigan State University's public laboratory, we have run into
> many viruses including the WDEF virus. We decided to put Gatekeeper
> and Gatekeeper aid on our system disks. To protect these files from
> being erased, they were made invisible using MacTools. Now in the
> control panel, the Gatekeeper icon does not show up. Question: Does
> this mean that Gatekeeper is not active? What about Gatekeeper Aid?
Apple's System 6.0 and later will not execute INIT resources which reside
in invisible files. This was done to prevent viruses (e.g. SCORES)
from dropping invisible INIT files into the System folder. By making
the Gatekeeper and Gatekeeper Aid files invisible, you've rendered them
inoperative.
You can, if you wish, make the whole System folder invisible; this won't
prevent the system from booting and won't prevent Gatekeeper etc. from
installing themselves. For lab machines, this is often a reasonable
approach.
- --
Dave Platt VOICE: (415) 493-8805
UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com
INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net
USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
------------------------------
Date: 20 Dec 89 22:29:59 +0000
From: cgl@lanl.gov (C G Langton)
Subject: Artificial Life Workshop - final announcement!
FINAL ANNOUNCEMENT !!!!
ARTIFICIAL LIFE
---------------
A workshop on the synthesis of
living and evolving artifacts.
February 5-9, 1990
Santa Fe, New Mexico
Sponsored by
------------
The Center for Nonlinear Studies, LANL
and
The Santa Fe Institute
Self-Organizers
---------------
Doyne Farmer
Chris Langton
Steen Rasmussen
Charles Taylor
Artificial Life has only recently emerged as a coherent field of
scientific research. Its primary methodological approach is to study
life and evolution by attempting to actually create living and/or
evolving processes within computers, beakers, or other ``artificial''
media. Its primary goal is to abstract the ``logical form'' of life
from its material basis - and to construct a truly general theory of
living systems, one which will be capable of treating life wherever it
is found in the universe and whatever it is made of. ``Artificial'' Life
can contribute to the study of ``real'' life by helping to locate
life-as-we-know-it within the larger context of life-as-it-could-be,
in any of its possible incarnations.
This will be the second workshop on the topic of Artificial Life. The
workshop will include invited and contributed talks, demonstrations,
and discussions on the many scientific, technical, philosophical, and
moral issues surrounding the increasing attempts to synthesize life
artificially. We will also have an artificial ``4H show'' with prizes
for the best artificial life-forms.
Specific investigations in the field of Artificial Life include attempts
to synthesize, simulate, or otherwise recreate the following:
- the emergence of autocatalytic sets within soups of artificial polymers;
- the evolution of strings of code using Genetic Algorithms;
- self-reproducing bit-strings, clay-crystals, RNA molecules, or LEGO-robots
;
- the emergence of cooperativity, colonial organization, multi-cellularity,
and hierarchical organization;
- the embryological processes of growth, development, and differentiation;
- the emergence of social behavior in populations of artificial insects;
- the emulation of population and ecosystem dynamics;
- the implementation of artificial environments, logical universes,
or ``virtual realities'' sufficiently rich to support the open-ended
evolution of embedded ``organisms'';
- cultural evolution, including the origin and evolution of socio-
cultural institutions, and the evolution of natural language in its
role as a vehicle for cultural inheritance;
- the dynamics of self-propagating information structures such as
biological and computer viruses;
Many of the investigations mentioned above will be reported on or
discussed at the workshop.
We expect that there will also be plenty of debate on the question of
whether or not symbolic processes within computers can be considered
``alive'' in principle, or whether they could be capable of participating
in anything like truly open-ended evolution. These debates will probably
parallel to a large extent the debates in the AI community on whether
processes within computers can considered to be ``intelligent'' or
``conscious.''
We are also encouraging presentations and/or debates on the moral and
social consequences of achieving the capability to create living things.
The mastery of the technology of life will easily overshadow any of our
previous technological accomplishments - even our mastery of the technology
of death - in terms of the burden of responsibility which it places on our
shoulders. As was the case for the mastery of atomic fission and fusion,
the potential abuses are directly proportional to the potential benefits.
Once again, we are in a position where our technical understanding of nature
is far in advance of our understanding of the potential consequences
of mastering or deploying the technology. This is not an enterprise to
be undertaken lightly, or to be pursued in the cause of such shortsighted
goals as fleeting military advantage.
The increasing spread and sophistication of computer viruses is evidence
both of the imminence of this new era in the history of life, and of the
complexity of the problems and issues that will be facing all of us in
the not-too-distant future.
We welcome your presence and contribution on any aspect of Artificial
Life that you consider worth presenting or discussing with others
who are interested in such issues. Whether you are a scientist, an
engineer, a philosopher, an artist, or just a concerned citizen, we
feel that ALL points of view need to be aired at this early stage in
the evolution of Artificial Life.
For further information and/or registration materials, contact:
Andi Sutherland
The Santa Fe Institute
1120 Canyon Rd.
Santa Fe, New Mexico
87501
505-984-8800
andi@sfi.santafe.edu
The deadline for contributions is Dec. 31, 1989. Registrations for
the workshop will be accepted right up to the date of the workshop.
Some limited financial assistance will be available for the truly
needy.
The proceedings of the first Artificial Life Workshop, held at
the Center for Nonlinear Studies, Los Alamos, New Mexico in 1987,
are available from Addison Wesley: "Artificial Life: The proceedings
of an interdisciplinary workshop on the synthesis and simulation
of living systems", edited by Christopher G. Langton, Volume #6
in Addison Wesley's `Santa Fe Institute Studies in the Sciences
of Complexity' series. They can be ordered toll free by calling
800-447-2226. The order codes are:
Hardback (about $40) ISBN 0-201-09346-4
Paperback (about $20) ISBN 0-201-09356-1
------------------------------
Date: Thu, 21 Dec 89 02:36:00 +0700
From: MARCO VAN DEN BERG / IRRI <BROERS@RCL.WAU.NL>
Subject: Another AIDS disk recipient (PC)
Just to complete the picture : at our institute here in the
Philippines we have so far received two copies of the AIDS disk as
well, but neither of them was installed on a user's machine (thanks to
the warnings from this (now) esteemed forum). Please note that it is
extremely likely that many folks in international organizations (UN,
World Bank, etc.) will be sent this disk when they have ever dropped a
business card at some computer show.
By the way, I *really* think the US reaction is a little
overdone, I'm sure that Noriega doesn't even know a keyboard from an
M16...
Marco van den Berg
International Rice Research Institute
Los Banos
The Philippines
CGI402%NSFMAIL@INTERMAIL.ISI.EDU or BROERS@RCL.WAU.NL
------------------------------
Date: Thu, 21 Dec 89 10:46:26 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: Flu virus (PC)
I just received a message from Australia, describing "Flu", a new
virus, that uses a good deal of self-modifying code. Does anyone have
more information ?
- -frisk
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253