home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.97
< prev
next >
Wrap
Text File
|
1995-01-03
|
15KB
|
340 lines
VIRUS-L Digest Monday, 24 Apr 1989 Volume 2 : Issue 97
Today's Topics:
Worms and Trojan Horse talk at NETCON.
Request for guest speakers.
Re: McAfee's SENTRY a-v software (PC)
Congress catches the computer virus bug...
Using Checkfunctions For Virus Detection (General Interest)
BALL VIRUS (PC)
---------------------------------------------------------------------------
Date: Fri, 21 Apr 89 18:52 EDT
From: John McMahon - NASA GSFC ADFTO - <FASTEDDY@DFTBIT.BITNET>
Subject: Worms and Trojan Horse talk at NETCON.
Conference Announcement:
NETCON 1989 - A meeting of BITNET users in Baltimore, Maryland
during Memorial Day weekend will feature the following speakers
during the Saturday technical sessions:
David Bolen - Speaking on the XYZZY utility
Valdis Kletnieks - Speaking on RELAY Version 2
John McMahon - Speaking on Worms, Trojan Horses and
Computer Networking.
For further information contact Reba Taylor at REBAT@VTVM1.BITNET
and Joe Ogulin at P12I1798@JHUVM.BITNET
I figured that was a good way to plug my upcoming talk at NETCON 1989.
For those of you who are curious, "Worms, Trojan Horses and Computer
Networking" will be an hour (or so) long talk where I will be doing a
novice level review of three networking "events".
The CHRISTMAS EXEC Trojan Horse (and similar) on BITNET,
The Father Christmas Worm on SPAN/HEPNET,
and (of course) the Morris Internet Worm.
I plan to point out during my talk that BITNET is beginning to coexist
with other networks (e.g. JNET over SPAN & HEPNET, BITNET2 over
NSFnet) and that an "attack" on another network can affect BITNET.
Similarly, I am going to talk a bit about "the costs" that a worm
attack can incur. Costs in wasted time, personnel, network resources
and the legal costs. Obviously I want to discourage this kind of
foolishness (worms), my machine is on several networks!
If you are interested in attending, or wish to learn more about
NETCON, please contact Reba Taylor at REBAT@VTVM1 and/or Joe Ogulin at
P12I1798@JHUVM.BITNET
Any questions/suggestions/comments about my talk can be directed to me...
+------------------------------------+-----------------------------------+
|John "Fast Eddie" McMahon |Span: SDCDCL::FASTEDDY (Node 6.9) |
|Advanced Data Flow Technology Office|Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV|
|Code 630.4 - Building 28/W255 |Bitnet: FASTEDDY@DFTBIT |
|NASA Goddard Space Flight Center |GSFCmail: JMCMAHON |
|Greenbelt, Maryland 20771 |Phone: x6-2045 |
+------------------------------------+-----------------------------------+
------------------------------
Date: Sat, 22 Apr 89 16:12 EST
From: Space, the final frontier.... <KUMMER@XAVIER.BITNET>
Subject: Request for guest speakers.
I've been recently elected secretary of the Xavier University
chapter of the ACM and I'm sending out a request for guest speakers on
the subject of viruses/worms/trojan horses for the fall semester of
this year. If anyone is interested or knows of someone that would be
interested, please contact me. My address is KUMMER@XAVIER.BITNET.
Thanks in advance,
Tom Kummer
------------------------------
Date: Sat, 22-Apr-89 13:20:56 PDT
From: portal!cup.portal.com!Gary_F_Tom@Sun.COM
Subject: Re: McAfee's SENTRY a-v software (PC)
In VIRUS-L #2.96, David Bader writes about John McAfee's SENTRY
anti-viral program, and concludes that "frankly --it is worthless." I
tried SENTRY myself before forwarding it to the VIRUS-L moderator, and
I'd like to try to address David's concerns.
David states:
> I followed the instructions on installation, and it automatically
> places itself in autoexec.bat and reboots (maybe John, you could have
> told me that you were going to modify my file, or that you would do a
> cold boot - for me, it matters.)
The SENTRY.DOC installation instructions state:
"The SENTRY installation will re-boot your system and then begin
its logging function. It will create a log file called SENTRY.LOG
and store it at the root of your boot disk. It will then install
the SENTRY check routine at the root of your boot disk and include
it as the first program in your autoexec.bat routine. SENTRY.COM
MUST REMAIN THE FIRST INSTRUCTION IN YOUR AUTOEXEC IN ORDER TO
OPERATE CORRECTLY."
In addition, the SENTRY installation program prints a message that it
is "Ready to re-boot this system," warns the hard-disk user to remove
any floppy disks, and prompts for a key-press before automatically
re-booting. I thought the instructions and the program messages were
clear enough about what would happen during installation. I was only
surprised that installation took much less time than I thought it
would, knowing that the program had to scan the entire disk directory
and examine every executable file.
> Anyway, After Sentry did a check of filesize and a random checksum
> at the beginning, middle, and end of every file on my harddisk, it
> told me nothing.
After its initial installation, there is nothing to tell. David might
have misunderstood the purpose of SENTRY. It assumes that you start
with a virus-free system environment, and attempts to detect viral
infections by warning you of changes in that environment. The
installation process does not look for pre-existing viruses, so no
messages about them are printed.
> Ok, so I run Sentry a second time just to see what happens and I get
> told my interrupt vectors have changed and I should contact someone
> because that could mean a virus. Have you ever heard about
> FASTOPEN, or FluShot Plus, or one million other programs that I give
> permission to to take over my interrupt vectors?
As emphasized in the installation instructions, SENTRY must be run as
the first program in AUTOEXEC.BAT (that is, immediately after booting
and loading CONFIG.SYS drivers) in order to work correctly. The
interrupt vectors and programs are checked against the log at that
time. If they match, then after that it doesn't matter which of those
programs you load or what interrupt vectors they use -- they should
all be free of viruses.
> ... And then, after taking a minute to scan all my files, I would
> appreciate "XXXXX file changed since last use" - NOT "3 files were
> modified". Useless, John, absolutely useless.
This comment baffles me. My experience has been that whenever SENTRY
finds a changed file, it stops, displays the filename and a message
about what has changed, and then waits for the user to press a key.
For example:
WARNING - The file C:\UTIL\LIST.COM has different time.
A VIRUS INFECTION MAY HAVE OCCURRED
PLEASE SEE THE SENTRY USER MANUAL FOR INSTRUCTIONS
PRESS ANY KEY TO CONTINUE
Only at the end of its checking does it print a summary line:
250 files checked. 1 changes detected.
Perhaps David is using an older version of SENTRY, not the one that I
sent to Ken. In any case, I hope that David's unhappy experience does
not dissuade interested parties from trying the program out for
themselves.
For me, SENTRY offers a good combination of safety (provided by early
detection of possible infections), convenience (automatic checking
whenever the machine is booted), compatibility (no interrupt vector or
memory buffer conflicts), and performance (checking is fast,
re-installation is fast, and since it is non-resident, it does not
take cpu cycles or memory away from other programs). It's true that
SENTRY does not prevent viral infections from occurring, nor does it
remove viral infections once they have occurred. As a tool for
quickly detecting new viral infections, however, I find it to be far
from "useless."
Gary Tom
garyt@cup.portal.com
sun!portal!cup.portal.com!garyt
------------------------------
Date: Sun, 23 Apr 89 14:45:08 EST
From: dmg@mwunix.mitre.org
Subject: Congress catches the computer virus bug...
I received the following message from the internal security conference
at MITRE. I thought others here might have some observations on
this...
David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------- Forwarded Message
Forum-Transaction: [0753] in the >site>forum_dir>bb meeting
Transaction-Entered-By: LGMartin.SAISS@DOCKMASTER.ARPA
Transaction-Entered-Date: 24 Feb 89 16:42 EDT
The Senate Judiciary Committee is holding a public hearing on viruses on
Tuesday, 28 February 1989, in Room 226 of the Dirksen Senate Office
Building from 1000 to 1300. I have not heard who is going to testify,
but I assume it is preliminary to any vote on the Virus Eradication Act
of 1989. Larry.
[Ed. Meeting delays deleted...]
======================================================
Forum-Transaction: [0755] in the >site>forum_dir>bb meeting
Transaction-Entered-By: JWilliams.Grapevine@DOCKMASTER.ARPA
Transaction-Entered-Date: 28 Feb 89 10:36 EDT
I have commented on the draft of HR 55 as of 1/27/89, and it is
essentially similar in wording to Al's citation, except that I believe
it now invokes a maximum penalty of 20 years.
Be that as it may, I believe much work is needed on the wording: for
instance, it appears that to me that the Internet Worm would not have
been illegal if it had functioned as intended: a one-time surreptitions
invasion, and low-level reproduction.
=======================================================
Forum-Transaction: [0756] in the >site>forum_dir>bb meeting
Transaction-Entered-By: AArsenault.Standards@DOCKMASTER.ARPA
Transaction-Entered-Date: 1 Mar 89 08:30 EDT
Thanks, Mike, for the update. Of particular concern to me in the bill
is that it doesn't seem to do a good job of defining precisely what is
illegal. Based on the '88 text, it seems clear that if I give you a
program that I know has a bug in it, and don't tell you, I'm guilty
under this bill. (Granted, I should not have given you a program with a
known bug without telling you, but I really don't think that that was
what the bill's authors had in mind.) What's worse, I'm not sure I'm
safe from prosecution if I give you a text editor/word processing
package that works properly!
(Why do I say that? Because every text editor/word processor I know of
has commands that can cause "damage" - by deleting things! Thus, the
case comes down to a question of whether or not I "told" you about the
damage that can be done by using the delete commands. I've seen a lot
of documentation that did NOT have big red warning signs all over the
place, warning people about what can happen. And then, of course, since
DOS has a command that will let me format my hard disk, and that's not
well documented at all, maybe we can start going after people big time.
A felony for shoddy documentation!)
(Of course, one can defend against prosecution by claiming that the text
editor /word processor/operating system did in fact contain
documentation describin
what could happen if the user wasn't careful. But then, so could the
writer of a "real virus". After all, if one ran the executable file
through a debugger before execution, one would see the ASCII strings
identifying the file as a virus, and warning that executing it would be
hazardous to one's health.)
Al
NOTE: THE ABOVE OPINIONS ARE MINE. MINE AND NOBODY ELSE'S. UNDER NO
CIRCUMSTANCES SHOULD THEY BE INTERPRETED AS REPRESENTING ANYBODY ELSE -
OR ANY ORGANIZATION, WHETHER I WORK FOR IT OR NOT!! ON TOP OF THAT, I
AIN'T NO LIARYER, JUST A PLAIN AND HUMBLE LAYMAN WHAT SPEAKS UP OUT OF
TURN ON OCCASION.
[Ed. More meeting delays...]
------- End of Forwarded Message
------------------------------
Date: Sun, 23 Apr 89 16:53:37 EST
From: dmg@mwunix.mitre.org
Subject: Using Checkfunctions For Virus Detection (General Interest)
I've been going through the Virus-L archives doing some background for
my work on viruses here at MITRE. I'm up to late June of last year,
when there was a strong debate about the merits of using a
checkfunction to detect the presence of viruses in applications. To
remind everyone, the consensus at that time was that using a
checkfunction in such a manner would only be effective against the
simplest of viruses, that an advanced virus would be resiliant against
detection in such a manner.
I believe it is possible to use a checkfunction in a constructive
manner to detect even the most advanced computer viruses, and it
involves a technique called a "cryptographic checkfunction".
In a normal checkfunction, your have an arbitrarily long string x
(which is really an application) that you apply to function [f(x)]
that results in the value for your checkfunction value. A
cryptographic checkfunction adds an addition function [lets call it
q(x)] that encrypts an arbitraily long string. Instead of making the
result of f(x) being the checkfunction value, the result of f(q(x)) is
the checkfunction value. Any foreign data (z) inserted into x would
not only have to take into account how the checkfunction [f(x)]
operates, but how the encryption algorithm [q(x)] operates. This task
can be made even more difficult by choosing a key for q(x) that is
dependent upon x itself.
[In other words, suppose your have the string X1 X2 X3 X4. You apply
this string to q(x) and the result is Y1 Y2 Y3 Y4. Now suppose you
have a virus string Z1 Z2 that inserts itself into X1... so you now
have (for instance) X1 X2 X3 Z1 Z2 X4. The result of applying this to
q(x) would be something like Y1 Y2 Y3 A1 A2 A3, instead of Y1 Y2 Y3 A1
A2 Y4.]
A problem with this is key-dependent encryption algorithms are not
exactly speed demons, but the new generation of microprocessors may
have the horse- power for them to be used effectively. Comments
anyone?
David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation
------------------------------
Date: Mon, 24 Apr 89 14:23:12 TST
From: Koyun@TRBOUN
Subject: BALL VIRUS (PC)
HI!
I HAVE AN IBM PC-XT COMPATIBLE. LAST DAY WHEN I LOOKED FOR A
PROGRAM I SEE THAT ONE OF MY PROGRAM WAS DESTROYED.THERE WAS A BAD
CULSTER ON IT. WHEN I TRY TO VERIFY HARDDISK SUDDENLY A BALL OCCURED
AND BEGAN TO HIT BORDERS AND LETTERS,AND WHEN I TRY TO VERIFY IT
OCCURS AGAIN.
IF SOMEBODY KNOW ANYTHING ABOUT THIS VIRUS OR HAVE AN INJECT,PLEASE
SEND ME .
MY ADRESS IS KOYUN@TRBOUN.BITNET
THANKS.....
TAN KOYUNOGLU
BOSPHORUS UNIVERSITY
------------------------------
End of VIRUS-L Digest
Downloaded From P-80 International Information Systems 304-744-2253