home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.27
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
206 lines
VIRUS-L Digest Thursday, 26 Jan 1989 Volume 2 : Issue 27
Today's Topics:
PC hardware protection (PC)
re: Request for definition of worms and trojan horses.
Re: [LICHTBLS@DUVM.BITNET: nVir (init 29) (Mac)]
Virus Prevention Guidelines
---------------------------------------------------------------------------
Date: Thu, 26 Jan 89 15:02:51 GMT
From: Martin Ward <martin@EASBY.DURHAM.AC.UK>
Subject: PC hardware protection (PC)
I have been considering the problem of trying to add some protection
against Trojan Horse (and by implication virus-infected) programs to a
PC. With a standard PC there appears to be NO protection against a
malicious Trojan which lies dormant for a while (ie carries out its
advertised function) and suddenly decides to trash all your file (or
just change a random byte in a random file). This is because any
program has total access to any bit of the hardware. Hence the only
protection is a regular backup (the Trojan which randomly changes
small areas of data could still take a while to find and therefore
could do a lot of damage).
Other operating systems (eg UNIX) have protection mechanisms which
(barring loopholes) prevent a user from accessing or modifying files
he does not have permission for. This could be extended to the concept
of "program" permissions: when an untrusted program is about to be run
a trusted supervisor program gives write permission to only those
files the untrusted program is allowed access to and then runs the
program under that user id.
To implement this system on a PC requires extra hardware, (here is
where I need some help from someone with more knowledge of PC
hardware): I imagine a two-position switch (physical, hardware
switch). In one position it allows full access to the disk and to an
internal "permissions" table. In the other position it denies access
to the "permissions" table and prevents access to any files not listed
in the table. Moving the switch from the second to the first position
should cause an automatic cold boot (this is so that a malicious
program cannot "pretend" it has terminated and fool you into moving
the switch). To execute an untrusted program you run a trusted program
which looks up the files allocated to the untrusted program (in a
file), sets up the permissions table and requests that you throw the
switch. It then waits for the switch to be moved and automatically
runs the program.
No "untrusted" program should have access to the boot tracks,
command.com files etc. or any executables, and should not be able to
create "bad" sectors. Hence the cold boot which occurs when the
switch is moved back to the "trusted program" position should be
perfectly safe.
Comments on the practicality etc. of this idea are welcomed!
Martin.
My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU
JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk
UUCP: ...!mcvax!ukc!easby!martin
Quote: "If God had intended Man to Smoke, He would have set him on Fire."
------------------------------
Date: 26 January 1989, 10:07:43 EST
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Request for definition of worms and trojan horses.
Well, the definitions we tend to use around here are something like this:
A bug is something that a program does that neither the programmer
nor the user intended.
A Trojan horse is a program that does something that the programmer
intended it to, but the user did not. (And, generally, that the
user would not have approved of had he/she known about it.)
A worm is a program that sends copies of itself through a network.
A virus is, to quote Fred Cohen, "a program that can 'infect' other
programs by modifying them to include a possibly evolved copy of itself".
A program infected with a virus is usually a Trojan horse, since it
does at least one thing (infecting other programs) that the user
doesn't know about, and wouldn't approve of. The (a?) key difference
between a worm and a virus is that a virus is a code-fragment that
hides within and spreads between *programs*, whereas a worm is a complete
program (or program-set) that runs on and spreads between network-
attached *computers*. In a very deep theoretical sense, the two are
different versions of the same thing (instructions that make copies
of themselves at other places in a computing environment); but in
practice, a program is different enough from a network-attached system
that it makes sense to draw a distinction.
The Internet thing back in November was a worm, not a virus. A
copy of Pandas in Space that has been hacked to include code that
erases all your files (but doesn't spread to other programs) is a
Trojan horse, but not a virus or a worm.
Something like that...
DC
[Ed. Thank you for the clear definitions. I received a plethora of
similar definitions of virus/worm/trojan today; thanks to *everyone*
who took the time to send in theirs! I've included (only) this one
here, not because it's any better (or worse) necessarily, but to cut
down on redundancy/traffic.
J.D. Abolins made a very interesting point in the definition that he
sent in: "Tom Kummer, in a recent posting, asked what is the
difference between Trojan Horse program and worms as compared to
viruses. Before I post an off-the-cuff reply, I must mention that the
terminology for 'bogusware' is very fluid. The use of any word such as
virus, worm, etc. has to be interpreted in the context of the person
using the word and the actual workings of the program in question.
'One man's virus is another man's worm.'" This points out the fact
that there is much confusion (particularly in the media) as to the
meaning of the above terms. We must try to take such reports with a
grain of salt, and figure out for ourselves what the author meant.
The media still refers to the Internet Worm as the "Internet Virus"...]
------------------------------
Date: Thu, 26 Jan 89 11:16:09 EST
From: Joe McMahon <XRJDM@SCFVM.GSFC.NASA.GOV>
Subject: Re: [LICHTBLS@DUVM.BITNET: nVir (init 29) (Mac)]
>Subject: nVir (init 29) (Mac)
>
> I have encountered this new strain of nVir on a bunch of Mac II's
>with Interferon, but have not been able to successfully eradicate the
>infection. Also Ferret, VirusRx, and virus detective are not able to
>identify this virus. The virus also shows up as a code segment ID 255
>or 256 which is 712 bytes long as previously noted. What is the best
>way to eradicate this "thing"? Is this new strain of any potential
>danger to documents saved on a different disk or will it just cause
>memory problems when the infected machine is used?
The INIT 29 virus is not a strain of nVIR. It is much more dangerous.
INIT 29 is far more infective than any Mac virus yet known. It gets
into *EVERYTHING*. Documents, font (suitcase) files, printer drivers,
the Desk Top file (the real one!); just about everything except (for
some reason) MacPaint files.
When an infected program is run on a clean system, the INIT gets
installed into the System file. When an infected program is merely
COPIED TO A DISK, the Desk Top file gets infected.
Next boot, it infects every file with a resource fork that gets opened
during the work session. *Inserting* a disk into an infected system
will infect its Desk Top file, unless it is locked. If it is locked,
you will get the "Disk needs minor repairs" dialog. DON'T FALL FOR IT!
This is caused by the I/O error caused by the virus being unable to
infect the Desk Top file. Unlocking the disk and reinserting it will
get you.
It patches itself into applications, adding a new CODE segment with an
ID 1 larger than the highest-numbered CODE resource. Bytes 9, 10, 11,
and 12 of CODE 0 are patched to point to the virus; these bytes are
moved to bytes 16, 17, 18 and 19 of the virus. For some reason,
multiple copies of the virus get copied into some applications.
The only application which can clean up infected *documents* (not
applications) is VirusDetective(tm) 2.0. It is already configured to
do so. Use its "delete infection" option to erase the INIT 29
resource. Applications should be replaced from clean copies. You might
try using the patch information noted above for irreplaceable
applications.
This is a very, very nasty virus. BE CAREFUL! GateKeeper should
probably be able to stop it; I don't think Vaccine is totally
resistant to it.
Virus Detective 1.2 does not dependably remove the infection: it does
not deal properly with locked resources, whereas the virus DOES. It
may tell you that it has deleted the infection, when it has done no
such thing.
--- Joe M.
------------------------------
Date: Thu, 26 Jan 89 13:12 EST
From: Roman Olynyk - Information Services <CC011054@WVNVMS.BITNET>
Subject: Virus Prevention Guidelines
Computer World (Jan. 9) had a article which referenced virus prevention
guidelines:
"Del Jones, managing director of the National LAN Laboratory in
Reston, VA., has issued a set of guidelines on virus prevention
and control endorsed by about 70 manufacturers."
A subsequent reference to another CW article didn't discuss these
guidelines.
Can anyone help me get a handle on these guidelines or where I might
actually find them?
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253