home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl3
/
virusl3.06
< prev
next >
Wrap
Text File
|
1995-01-03
|
28KB
|
590 lines
VIRUS-L Digest Monday, 8 Jan 1990 Volume 3 : Issue 6
Today's Topics:
re: comment by William Hugh Murray
Re: Spafford's Theorems
Gatekeeper Privileges (MAC)
Questioning ethics at computing sites
The Amstrad virus (PC)
Re: Where to Get Mac Anti-Virals
Jerusalem B problem (PC)
Re: Authentication/Signature/Checksum Algorithms
Re: Virus Trends (and FAXes on PCs)
Alternative Virus Protection (Mac)
Murray's Theorems (Was Re: Spafford's Theorems)
Implied Loader 'Pack' Virus (Mac)
Re: Virus Trends (and FAXes on PCs)
Re: Viruses Rhyme And Reason
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, document, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: krvw@SEI.CMU.EDU.
- Ken van Wyk
---------------------------------------------------------------------------
Date: Thu, 04 Jan 90 23:01:00 -0500
From: "Gerry Santoro - CAC/PSU 814-863-4356" <GMS@PSUVM.PSU.EDU>
Subject: re: comment by William Hugh Murray
In V3 N1 of Virus-L Digest, William Hugh Murray wrote:
>2. The press speculation about the DATACRIME virus was much more
>damaging than the virus.
For the sake of academic argument I would dispute this. I agree that the
actual damage from Datacrime (or Oct 13 or whatever) was minimal, and
virtually nonexistent on our campuses, and I would also agree that there
was mucho media hype. However, I really think that there was a major
benefit to all of this.
As Mr. Murray correctly pointed out, much more users damage their own
data than are damaged by 'nasty' software. The Oct 13 scare made our users,
who number in the tens of thousands, FINALLY listen to our pleadings
to make backup copies of their software and data.
The situation is similar to that with seat belts. Few of us are actually
in an accident, but if we see one (or the effects) it may cause us to wear
the belts, which *may* save our lives. In the case of the Oct 12 virus
we had one grand chance to get people to listen to our message regarding
making backups and preparing for the chance of disaster, whether by
accident, ignorance, hardware failure or 'nasty' software.
-
-------------------------------------------------------------------------------
| | gerry santoro, ph.d. -- center for academic computing | |
| -(*)- penn state university -- gms@psuvm.psu.edu -- gms@psuvm.bitnet -(*)- |
| | standard disclaimer --> "I yam what I yam" | |
-
-------------------------------------------------------------------------------
------------------------------
Date: Fri, 05 Jan 90 04:46:06 +0000
From: soup@penrij.LS.COM (John Campbell)
Subject: Re: Spafford's Theorems
WHMurray@DOCKMASTER.ARPA writes:
> 1. The amount of damage to data and availability done by viruses to date
> has been less than users do to themselves by error every day.
OK, OK. True enough, though we don't often like to be reminded of
this.
> 4. Viruses and rumors of viruses have the potential to destroy society's
> already fragile trust in our ability to get computers to do that which
> we intend while avoiding unintended adverse consequences.
This is the most worrying aspect of virus/trojan/worm infections.
We have a population which has no intrinsic immune system which
leaves itself open to such attack. Vectors now consist of
communications networks (BBS and other means) as well as physical
media. Since we are moving towards a networked future we will
need immune systems in our computers- society (all of us) are
currently subject to these terrorist acts (like the tylenol
scare). Remember- any linchpin/choke point in technology, be
it transportation, food delivery, water supply, communications
is subject to interruption by killers. Set some of these loose
in a Hospital and the virus writer is _at least_ as dangerous
as the individual who slips cyanide into food and drug products.
> 5. We learn from the biological analogy that viruses are self-limiting.
We also learn that when the population is large enough for the
entity to take advantage of, an entity will attempt to take
hold. Once we had standard PC's (and Macs, Amigas, etc) we
then had a "fixed" cellular mechanism to subvert. S-100 systems
which lacked such standardization were not subject; even the
"standard" S-100 systems did not constitute a large enough
population to invite attack...
> Clinically, if you catch a cold, you will either get over it, or you
> will die. Epidemiologically, a virus in a limited population
> will either make its hosts immune, or destroy the population. Even in
> open population, a virus must have a long incubation period and slow
> replication in order to be successful (that is, replicate and spread).
Point taken. A virus, since it _does_ act in the system as
non-invasively as possible (beyond spreading its "genetic code"
wherever possible) will be fairly successful. Subtlety pays
off. Of course, these viruses are much like the HIV will eventually
kill the host...
- --
John R. Campbell ...!uunet!lgnp1!penrij!soup (soup@penrij.LS.COM)
"In /dev/null no one can hear you scream"
------------------------------
Date: Fri, 05 Jan 90 07:57:45 -0500
From: V2002A@TEMPLEVM.BITNET
Subject: Gatekeeper Privileges (MAC)
Hi,
Before I install Gatekeeper, I was wondering if anyone knows
the set of privileges required by the TextPac and PublishPac software.
We are using a Dest page scanner in our public access lab. The device
is configured SCSI in order to talk to the MAC II so I think I'm correct
in assuming that in order to scan text and pictures the software will
need to do all sorts of low level stuff.
Anyone else out there with Gatekeeper and a Dest scanner installed?
Andy Wing
Senior Analyst
Temple University School of Medicine
------------------------------
Date: Fri, 05 Jan 90 09:28:30 -0500
From: Jeff_Spitulnik@um.cc.umich.edu
Subject: Questioning ethics at computing sites
I write this commentary on ethical issues concerning the dissemination
of information about the existence of viruses and how to get rid of
them as both an employee of the University of Michigan and as a
concerned member of the UM community. The following scenario
describes the events leading up to my questioning the ethicality of
the procedures (or more appropriately, the lack of procedures) here.
Finally, I ask for comments and suggestions (e.g. how informing the
public is done at your institution) with hopes that the UM policy
makers are listening.
I recently joined the ranks of the many computer experts employed at
the University of Michigan. About 1 month after I started working
here, I became familiar enough with downloading Mac files from a
public file to notice that there was a new version of Disinfectant. I
downloaded it and noticed the report of the WDEF virus. I checked my
personal disks as well as the school owned disks in my public lab ---
all were infected with the WDEF virus. I sent an e-mail message to
the online_help people (most of which are student "consultants"),
asking them what was to be done. It was apparent from the response,
that the virus had been here such a short time (a few days?) that no
one was doing anything yet. I expected a public announcement of some
sort informing users that they may be infected and that they run the
risk of being infected when they use the UM public facilities. No
announcement was made. Furthermore, as a specialist employed to
preside over a public computing facility (most of the computers are
Macs), I expected to be both informed that there was a new virus as
well as instructed what to do about it I heard nothing. Two weeks
after the WDEF virus hit UM, most users were still not aware of it. I
sent an e-mail message to my most immediate contact in the Information
Technology Division expressing my concerns. "Shouldn't the public be
informed," I asked. I expected a response from him and hoped that he
would forward the message on to the appropriate policy makers if he
was not in the position to deal with it himself. I have not received
a response to my message nor have I heard any public mention of the
WDEF virus. Users continue to infect the disks in my lab and be
infected by the disks in my lab and, as far as I know, other public
facilities at the Universtiy of Michigan. The virus persists here.
What should be done to rid UM of the WDEF virus or of any virus for
that matter? How does the bureaucracy at your institution handle it?
I question the ethicality of a laissez-faire attitude on viruses at
any institution.
Jeff Spitulnik
------------------------------
Date: Fri, 05 Jan 90 12:13:27 +0000
From: frisk@rhi.hi.is (Fridrik Skulason)
Subject: The Amstrad virus (PC)
I mentioned the Amstrad virus in a recent posting, saying that "..it
has nothing to do with Amstrad computers...". It now appears that it
does.
The original (unmodified) version of the virus contains an
advertisement for Amstrad computers. This text was replaced by a
short message to John McAfee, when the virus was first uploaded to
HomeBase. The name appearing in my original note about the virus is
therefore not the name of the author, but instead the name of a
respected professor in Portugal.
- -frisk
------------------------------
Date: 04 Jan 90 19:04:45 +0000
From: briang@bari.Corp.Sun.COM (Brian Gordon)
Subject: Re: Where to Get Mac Anti-Virals
XRJDM@SCFVM.BITNET (Joe McMahon) writes:
>Hi, Mike.
>
>We've set up an automatic distribution service here at Goddard. You
>can sign up by sending mail containing the following text to
>listserv@scfvm.gsfc.nasa.gov:
> [...]
Assuming this is available to those of us on usenet, not just bitnet, can you
post a path to "scfvm.gsfc.nasa.gov"? It doesn't appear to be findable from
my maps. Thanks.
[Ed. I believe that ...!uunet!scfvm.gsfc.nasa.gov would do the trick.]
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Brian G. Gordon briang@Corp.Sun.COM (if you trust exotic mailers) |
| ...!sun!briangordon (if you route it yourself) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
------------------------------
Date: Fri, 05 Jan 90 18:24:23 +0000
From: 861087a@aucs.UUCP (Andreas Pikoulas)
Subject: Jerusalem B problem (PC)
Can someone tell me how do I get rid of the Jerusalem B virus
without getting rid of the infected program too?
I remember someone told me that i have to edit some specific sectors of the
disk in order to deactivate the virus.
Thanks in advance
A n d r e a s
Andreas Pikoulas| UUCP :{uunet|watmath|utai|garfield}!cs.dal.ca!aucs!861087a
TOWER 410 | E-MAIL : 861087a@AcadiaU.CA
WOLFVILLE-NS | Phone(voice) : (902) 542-5623
CANADA B0P 1X0 | ------- IF YOU CAN'T CONVINCE THEM, CONFUSE THEM. --------
------------------------------
Date: 05 Jan 90 17:26:20 +0000
From: well!rsa@lll-crg.llnl.gov (RSA Data Security)
Subject: Re: Authentication/Signature/Checksum Algorithms
In response to Y. Radai's post:
To protect against viruses, the best protection can be obtained by
using a fast hashing algorithm together with an assymetric
cryptosystem (like RSA). This is also by far the most cost-effective
(based on compute-time) approach.
A good "message digest" should be a one-way function: it should be
impossible to invert the digest and it should be computationally
infeasible to find two useful messages producing the same digest in
any reasonable amount of time. The algorithm must read every bit of
the message. Therefore, the best one is the fastest one deemed to be
secure. This should not be left to individual users to develop as
Jeunemann and Coppersmith, among others, have shown that this is not
a trivial undertaking. Let's use Snefru and MD2 (Internet RFC 1113)
as examples of good ones.
The digest attached to a program or message should then be encrypted
with the private half of a public-key pair. What is the
computational cost of enhancing this process with public-key?
Since RSA can be securely used with small public-key exponents such
as 3 (see Internet RFC's 1113-1115 and/or CCITT X.509) a small number
of multiplies is required to perform a public-key operation such as
*signature verification*, where one decrypts an encrypted digest with
the public key of the sender (and then compares it to a freshly
computed digest). Therefore, the "added" computational cost of using
RSA on an AT-type machine is approximately 80 milliseconds (raising a
512-bit number to 3 mod a 512 bit number) REGARDLESS of the size of
the file being verified (the digest is fixed, and less than 512 bits,
requiring one block exponentiation). Of course the 80 ms gets
smaller on faster machines like Suns. I think anyone would agree
that that is a fair tradeoff for signer identity verification. Since
one "signs" files only once, this "cost" is irrelevant. The cost of
verifying, over and over, is what is important.
So what do you get for your milliseconds? You always know the source
of the digest (and you get non-repudiation, providing an incentive to
signers to make sure programs are clean before signing them). No one
can change a program and recalculate the digest to spoof you. If
schemes like this became widespread, the lack of signer
identification would be a hole people would quickly exploit. You
also get a secure way to *distribute* software over networks. Pretty
hard to do if everyone "does their own thing". The Internet RFC's,
if widely adopted, provide a perfect mechanism for this.
Regardless of the hashing algorithm employed, there are powerful
benefits available if RSA is used with it. And the computational
cost is negligible.
It may be true that simpler methods are adequate for some people.
That determination requires a risk analysis, and people will make
their own decisions. It has been shown, however, that if a system
can be defeated, it will be. Certainly secure software distribution
requires something more than an unprotected hash, since keys will
presumably not be shared. This is where public-key has the most
value.
Using X9.9 is OK if (1) you trust DES (2) can live with its speed,
and (3) don't need to distribute trusted software in a large network.
X9.9 key management becomes a serious problem in a network like the
Internet. It does have the advantage of being a standard, but it was
developed for a relatively small community of wholesale banks, not
large networks. Note aboput standards: RSA was named as a supported
algorithm in the NIST/OSI Implementor's Workshop Agreements (for
strong authentication, in the Directory SIG) of December 1989.
Jim Bidzos
RSA Data Security, Inc.
------------------------------
Date: 05 Jan 90 20:07:02 +0000
From: kelly@uts.amdahl.com (Kelly Goen)
Subject: Re: Virus Trends (and FAXes on PCs)
ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes:
>Nagle@cup.portal.com says:
>
>> - A FAX message is a bitstream interpreted by an interpreter at
>> the receving end. Could it be induced to do something interesting
>> through the use of illegal bit patterns? Group III is probably too
>> simple to be attacked, but group IV? Imagine a message which
>> causes a FAX machine to send an extra copy of transmitted documents
>> to another location.
>
>Something that has come to the attention of security paranoids here
>lately is that some manufacturers of PC FAX boards have added a
>feature that allows the FAX modem to be used as a bisync modem to
>communicate with the PC directly, rather than transmitting just FAXes.
>
>I assume the PC would have to be running some software to enable it
>and reassign the console (requiring local intervention), but a
>networked PC could then prove to be a leak onto the corporate network,
>(or at least, for handy distribution of the Trojan-of-the-month program).
>Added to this is the promise that at least one FAXboard vendor
>promises that both async and bisync modem capability will be available
>in the future.
- -I would have clipped more of this but this is a complex subject that merited
serious consideration unlike the infamous modem virus scare of 1988....
actually while a receiving process has to be available on the machine to
be infected(i.e. either the legitimate file transfer program
or a masquerading process
using this as a means to load further extensions of itself)...the important
point to remember here is that g-3 and g-4 fax formats are from what some of
techs have told me on alt.fax are internally, modified dialects of HDLC
so in this case it is possible that a sufficiently sophisticated infectious
process could use this as a pipeline to load further updates to code...
(i.e. new ways to defeat anti-viral nostrums) I will post ISBN numbers
on the protocol definitions when they finally arrive...as to whether this is
a probable scenario... who knows
cheers
kelly
p.s. AS I dont want to cause anyone unecessary worry let me remind all
once again that a receiving process HAS to be on the receiving machine
if it is not the legitimate File XFER program then it is illegitimate
in any case....the point that I am trying to clarify that while
an infectious process could use this as a conduit to an ALREADY EXISTING
infected host... unless there is a way to force execution of the received
code then your virus will lay dormant(i.e.nonexecutable) because of some
fax type file extension on msdos...typically something like .FAX .PIC .PCX
etc....get the picture??? on *nix type systems the problems faced
by the theoretical COMPUTER/FAX-MODEM infectious process are simpler in some
ways but require even more cooperation from receiving processes...
------------------------------
Date: Fri, 05 Jan 90 17:12:07 -0500
From: "Chris Khoury (Sari's Son)" <3XMQGAA@CMUVM.BITNET>
Subject: Alternative Virus Protection (Mac)
Is there any alternative virus protection, detection init/cdev
besides vaccine and gatekeeper? I need to save space on my disk, so
gatekeeper is too large, but vaccine does not protect me disk from
the other virus's besides Scores and nVir. Any suggestions? I would
prefer that the program is shareware/PD.
Chris Khoury
Acknowledge-To: <3XMQGAA@CMUVM>
------------------------------
Date: 03 Jan 90 22:59:29 +0000
From: ewiles@netxdev.DHL.COM (Edwin Wiles)
Subject: Murray's Theorems (Was Re: Spafford's Theorems)
WHMurray@DOCKMASTER.ARPA writes:
>
>1. The amount of damage to data and availability done by viruses to date
>has been less than users do to themselves by error every day.
Granted. However, self-inflicted damage is generally recognized much sooner,
and is often much easier to repair. Perhaps more time consuming, but easier
because the user generally needs no special tools that he does not already have
.
>6. The current vector for viruses is floppy disks and diskettes, not
>programs. That is to say, it is the media, rather than the programs,
>that are moving and being shared.
This is not entirely so. There have already been cases where programs were
used as Trojan Horses to initiate viral infections. Thus, the floppy is not
the only vector.
True, a floppy is most often used to pass the program, but that will not always
be the case. Already, services like Compu$serve are used for exchange of
programs. Fortunately, the sysops (at least of the amiga groups) test uploaded
software before allowing general access to it. However, such testing cannot be
perfect.
Consider a viral vector designed not to infect anything at all until a certain
date is reached, then the virus is 'quiet' until yet another date has passed.
If the vector is passed only in binary form, the chances of discovering the
virus before the vector has widely spread is quite small. Especially if the
date that the vector starts infecting is more than 30 days in the future.
Binary only distributions are quite common, especially with the advent of
shareware. The catch is, the designer must make the item sufficiently
usefull/interesting to get the user to download it, and then to keep using it
until the infection start date has passed. If he is able to do that, it is
highly likely that the designer would get greater pleasure out of praise for
the inital tool! The greater danger is a designer who modifies the binary
received from some other source. Modification taking less effort than
ground-up design/code/test. This would even be prefered if you wished to
destroy the reputation of the original tool designer!
Gack! A whole new reason for paranoia!
"Who?... Me?... WHAT opinions?!?" | Edwin Wiles
Schedule: (n.) An ever changing nightmare. | NetExpress, Inc.
...!{hadron,sundc,pyrdc,uunet}!netxcom!ewiles | 1953 Gallows Rd. Suite 300
ewiles@iad-nxe.global-mis.DHL.COM | Vienna, VA 22182
------------------------------
Date: 07 Jan 90 19:46:35 +0000
From: gford%nunki.usc.edu@usc.edu (Greg Ford)
Subject: Implied Loader 'Pack' Virus (Mac)
Does anyone know what this is? Last night, while using SUM's Tune-up
option to clean up my HD, a dialog box popped up from GateKeeper Aid
saying "Gatekeeper Aid has found and removed the Implied Loader 'Pack'
virus from the PIC file on the Games Disk". (Games disk being one of
my partitions). When I clicked ok in the dialog box, the dialog
immediately reappeared with the same message. It took about 30 clicks
in the ok box for the dialog to go away (reappearing everytime). On
top of all that, there is no file called PIC on my HD.
Any clues? It said it removed it, so I'm not worried, but I haven't
heard of this "virus". If one of you virus-basher guys need to check
this virus out, I can rummage through my backup (which I had just done
before) to try and find it.
Greg
*******************************************************************************
* Greg Ford GEnie: G.FORD3 *
* University of Southern California Internet: gford%nunki.usc.edu@usc.edu *
*******************************************************************************
------------------------------
Date: 07 Jan 90 03:38:01 +0000
From: woody@rpp386.cactus.org (Woodrow Baker)
Subject: Re: Virus Trends (and FAXes on PCs)
Nagle@cup.portal.com says:
> - A FAX message is a bitstream interpreted by an interpreter at
> the receving end. Could it be induced to do something interesting
> through the use of illegal bit patterns?
Now that hard disks are available on Postscript printers, We have
another problem.. It is concievable to embed a virus, or a trojan in a
font. If the font were encrypted, it would be mighty hard to hunt the
virus down. It could convievably alter fonts on the hard disk, screw
up font chache images, and or plain crash the hard disk. It would,
however be difficult for it to infect other systems, unless one
retrieves a contaminated file and sends it to another laser printer.
The potential for abuse also exists in prolouges. I have not seen or
heard of one yet, but now is the time to give some thought to how to
prevent them BEFORE they start getting out of hand.
Cheers
Woody
p.s. Some of the new VIDEO cypherrs are viruses of a sort. They play
with the signal to screw-up VCR's. Messing with the Automatic Gain
control among other things. If some one manages to overcome them, and
make a copy of the tape, the messed up signal could sort of take on
viral properties, though they would not do any damage.
------------------------------
Date: 07 Jan 90 04:18:00 +0000
From: clear@actrix.co.nz (Charlie Lear)
Subject: Re: Viruses Rhyme And Reason
Bill.Weston@f12.n376.z1.FIDONET.ORG (Bill Weston) writes:
>I'm not sure that writing viruses will ever stop.
>
>Ross Greenberg wrote perhaps the best psychological profile of the
>"virus programmer" that I have ever read. (It's in the docs of
>FLUSHOT, you've all read it...)
>
> The virus writer likes causing damange. He thinks it's funny and makes him
>feel powerful.
> To this day, tha STONED virus still infects thousands of systems all over the
>world. (Poorly written as it is..)
>
>The target of many virus writers are the millions of PC users who don't know
>much about computers. The novice user, or perhaps the user who knows how to
>run programs but does not know much about DOS, is the primary mark. A friend
>of mine was just such a person. Less than 20 days after buying his PC he was
>hit by the STONED virus. He did not know how to protect himself. Lots of
>grins for the programmer.
One day, you'll actually write something you know something about,
Bill... 8-)
The schoolkid who wrote the Stoned virus did it on a dare from an
Amiga owner who was suffering from the first effects of the SCA virus.
It was believed *impossible* by the "experts" for a PC virus to be
written, so he went ahead and wrote a simple, non-destructive bsv on a
standard XT. Having written it, the consequences of unleashing it
became a bit much to think about, so he made sure all copies were
destroyed bar one which he kept at his house.
Despite being under lock and key, his little brother and a couple of
his friends thought it would be a huge joke to steal the disk and
deliberately infect disks in a local computer store. This was fine,
but after the initial laffs it proved impossible to trace ALL infected
disks and the STONED epidemic was born.
Since then, the programmer has lived a very cloistered, paranoic life.
Huge publicity has done nothing to help his studies or his state of
mind, even though his identity has not been publicly revealed. The
last burst of publicity was later discovered to be a protection
mechanism for the guy, although front page coverage on a capital city
daily is bizarre protection.
It seems that after the "blue" side in an Australian army exercise
deliberately infected "red" side computers with the virus to gain
military advantage, certain people in certain security organisations
wished to interview the man who wrote Stoned. The press coverage
allegedly stopped a kidnap attempt in its tracks - the threat of a
full diplomatic incident was too much for the Aussies and they went
home.
Of course, I have no documentary proof of the above as anyone
connected with the writing or dissemination of a virus would be stupid
to write anything down. I believe I have just illustrated how an
"innocent" prove-it-can-be-done scenario can turn unbelievably bad.
Is it really the programmers fault that the virus does not damage 360k
floppies or 20meg XT disks, and only becomes a danger when used on
large capacity floppies or big hard disks? He had no access to, or
knowledge of, such hardware when he wrote it...
- --
Charlie "The Bear" Lear: Call The Cave BBS, 64(4)643429 157MB Online!
Snail: P.O. Box 12-175, Thorndon, Wellington, New Zealand
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253