home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
CRYPT14.ZIP
/
CRPTLT.R14
< prev
next >
Wrap
Text File
|
1993-04-05
|
64KB
|
1,158 lines
▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄ ▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
█▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒▒▒▒▒█ █▒▒▒▒█
█▒▒█ ▀▀▀▀▀▀▀▀ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▀▀▀█▒▒█ ▀▀▀█▒▒█ ▀▀▀▀▀
█▒▒█ █▒▒█ ▄▄▄▄█▒▒█ █▒▒█ █▒▒█ █▒▒█ ▄▄▄█▒▒█ █▒▒█
█▒▒█ █▒▒█ █▒▒▒▒▒█ ▀▀ █▒▒█ █▒▒█ █▒▒▒▒█ █▒▒█
█▒▒█ █▒▒█ ▀▀▀▀█▒▒█ █▒▒█ █▒▒█ ▀▀▀▀▀ █▒▒█
█▒▒█ ▄▄▄▄▄▄▄▄ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█
█▒▒█ █▒▒▒▒▒▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█ █▒▒█
▀▀▀ ▀▀▀▀▀▀▀▀ ▀▀▀ ▀▀ ▀▀ ▀▀▀ ▀▀
NEWSLETTER NUMBER 14
****************************************************************
EDITED BY URNST KOUCH, March - April 1993
CRYPT INFOSYSTEMS BBS - 215.868.1823
INTERNET: 70743.1711@compuserve.com or CSERVE: 70743,1711
****************************************************************
TOP QUOTE: "I BM, you BM, no more BM for IBM."
--slight mutilation of
doggerel found in David
Gerrold's "When H.A.R.L.I.E.
Was One"
IN THIS ISSUE: News . . . more on "Approaching Zero" . . .
comment on Mark Ludwig's Virus-Writing Contest from Bontchev
and others . . . Virus complexity: biological v. computer . . .
RashPutin' speaks . . . TOTORO DRAGON source code . . .
fly-on-the-wall at March IEEE Security Conference in NYC . . .
The PC CARBUNCLE virus . . . FICTUAL FACT/FACTUAL FICTION . . .
miscellany.
***************************************************************
Starting on a stupid note: "The Flintstones" and "The Jetsons"
AREN'T educational programs anymore, declared a New York Times
front page story on March 4. In its usual dead serious tone,
the newspaper informed readers in 20 worthless column inches
that the FCC had come to this landmark decision. Further, it
reported that "lobbyists for the broadcasting industry were
[not] pleased, however."
The reason we mention it is that the typical Crypt Newsletter
reader despises this type of information, which social critic
Paul Fussell terms "BAD." "BAD" is that sub-intelligent
quality defined by any society, in this case America, that
requires a large, doltish bureaucracy to tell it "facts" that
even the average house pet knows. The Crypt Newsletter is all
about exposing "BAD."
In another equally "BAD" NY Times computer piece the same month,
reporter John Markoff [co-author of "Cyberpunk"] wasted almost
a full page talking to jet-setting pals about the technical
shortcomings of the Apple Powerbook laptop computer.
"You're flying across the country," one of Markoff's confidants
moans, "and you inevitably find your Powerbook goes dead
somewhere over Ohio." Bummer.
Power users, adds the confidant, cluster near the toilet because
that's where power outlets are on airplanes.
"I won't do real work on the batteries," chirped "Artificial Life"
author Steven Levy. This from a man who once wrote in a
piece of "real work," "A rock would certainly be low on any
continuum of aliveness."
Markoff wrapped up the article with a finely crafted mixed
metaphor, which we assume is considered skillful prose at
the Times. "To Apple's credit, it takes . . . complaints
seriously and whittles away at the list of nits with each
new model."
CHINESE NOMENKLATURA PIRATE PIRACY STUDY: Not to be outdone
by the Americans in this week's "BAD" sweepstakes, the
Chinese have finally perfected plagiarism and theft of
intellectual property as a national sport.
The Reuters wire service said in March that the Beijing People's
Court fined two government employed editors and the China
Procuratorial Publishing Company for word-for-word theft of the work
of researcher Zheng Chengsi on copyright piracy.
The Guangming Daily said the editors lifted whole
sections of the studies Zheng wrote for the Chinese Academy of
Social Sciences on software protection and intellectual property.
Reuters added, "Chinese authorities, eager to gain re-entry to
the General Agreement on Tariffs and Trade, have promised to uphold
copyright and trademark protection."
No truth to the rumor that the Chinese Software Engineering
Institute has adopted "Copy that floppy!" as its new motto.
------------------------------------------------------------------
FOLLOW-UP COMMENT ON MARK LUDWIG'S FIRST INTERNATIONAL VIRUS-
WRITING CONTEST [Originally published in entirety in Computer
underground Digest 5.21]
-------------------------------------------------------------------
From: bontchev@INFORMATIK.UNI-HAMBURG.DE(Vesselin Bontchev)
Subject: comments on proposed virus writing contest (Bontchev)
Mark Ludwig's virus writing contest is yet another attempt to incite
the creation of computer viruses that hides behind seemingly
legitimate reasons. Just like his book and newsletter, which hide
behind the right of the US citizens of freedom of expression, the
"legitimate" reasons of the contest fall apart, if you look carefully
at them.
Let's consider some questions which naturally arise when reading a
proposal like that.
What are the values/dangers of such contests?
In the beginning of the proposal, the author boasts that he needs the
virus for the second volume of his book, which will discuss "the
scientific applications of computer viruses, and their use in
artificial life research". However, actually the contest it for
writing the shortest possible non-overwriting MS-DOS COM file
infector. What does this have in common with artificial life? What are
the scientific applications of such a silly (but small) virus? And
what does all this have to do with "research" in general? Actually, it
is nothing more than a contest to hack the smallest program that
performs given actions - nothing more. In fact, the author even
addresses the potential participants of the contest as "hackers", not
as researchers or scientists. And indeed, the goal of the contest has
nothing to do with scientific research.
The result of this contest is easily predictable. A few hundreds of
kids will write hundreds of smart, not so smart, and completely buggy
viruses. One of them will win the $100 prize. The others will have to
decide what to do with the viruses in their disposition that have not
won the contest. In all probability, they will upload them to the
nearest virus exchange BBS, where other irresponsible people will be
able to download and spread them further. "K00l dudez, I've got one of
the participants in Mark Ludwig's contest for you"...
The winner of the contest will have his name, or more probably, his
handle, mentioned in the book, which will stimulate his ego and incite
hundreds of others to imitate him and to create more viruses.
Of course, all those viruses will end up in the hands of the
anti-virus researchers, who will have to update their scanners to be
able to recognize them, just in case some of them accidentally
"escapes". And, since most of those researchers don't work for free,
the users of their anti-virus programs will have to pay for yet
another update.
Who wins of all that? Mr. Mark Ludwig sells a new volume of his book,
a few irresponsible kids get their ego teased, a few anti-virus
researchers spend a few nights to disassemble silly viruses, and all
of you have to pay - pay for updates of your scanners, pay for the
data and time lost in an outbreak of a silly and buggy virus, and so
on. Indeed, what a service does Mr. Mark Ludwig to the society!
In fact, the outcome of the first volume of his book already proves
that the above reasoning is correct. There are already at least 7
different variants of the silly Timid virus, published in the book...
How do we distinguish between "benign" and "malevolent" virus writers?
Some people like to speak about the possibility to develop "benign"
and even "beneficial" viruses and about how much this kind of research
will make our life easier. In fact, all that began with Dr. Fred Cohen
and his papers on the subject. Dr. Cohen means something very
particular, something that most people will never call a virus.
Unfortunately, in his papers he tends to use formulae, instead of
easily understandable language, so it is no wonder that many people
are misunderstanding him.
I cannot decide whether Mr. Mark Ludwig has indeed misunderstood Dr.
Cohen's ideas, or if he intentionally misuses the general
misunderstanding of the subject, in order to masquerade his virus
writing contest as something legitimate. However, fact is, that what
he proposes has nothing to do with Dr. Cohen's ideas for beneficial
viruses, will have absolutely no positive value, and will rise yet
another wave of stupid viruses written across the world.
Actually, there is no such thing as "benign" or even "non-destructive"
virus, as Mr. Mark Ludwig seems to understand it. The virus that is
proposed in his contest will infect real, executable programs. The
author of the virus has absolutely no way to know how will his virus
behave in some situations. In fact, it may turn to be even highly
destructive in some of these situations.
Just an example. One of the first versions of Microsoft Word (1.0, I
think) used to checksum itself, and, if the checksum didn't match,
displayed a message on the screen (something like "The tree of evil
has bitter fruits; crime does not pay") and trashes the current disk.
Obviously, if it becomes infected with the virus described in the
contest, this destructive code will trigger - with sad consequences.
Several other self-checking programs will not react that violently,
but will simply refuse to run when infected. Thus, the virus will be
guilty for denial of services - maybe lost time, money, business...
Even worse, the virus author is not able to predict the future, so he
has no way to know how his virus will behave in situations that simply
don't exist yet. Maybe it will turn out to be highly destructive -
recall what the "benign" Stoned virus does with high-capacity floppies
that have been simply not available at the time it has been
written...
Is there any educational value in those contests?
Mr. Mark Ludwig claims to write his book for educational reasons. But
what does actually he teach his readers? How to write viruses? Even if
we leave alone the doubtful value of this knowledge, there are already
a few books and many more electronic articles, circulating in the
underground, that teach exactly that.
Maybe he wants to teach his readers to write good assembly language
programs? But, at least his first book, does not discuss the good
programming practices at all, and in fact contains many samples of
sloppy and clumsy code.
So, maybe he wants to teach his readers about the top technology
employed by viruses to bypass the different security systems? Even
this is not true - he does not address such modern concepts as
armouring, polymorphism, slow viruses, fast infectors, multi-partite
viruses, or even fully stealth file infectors... For instance, nowhere
in the book there is a discussion of the different kinds of attacks
that can be employed by viral programs to circumvent discretional
access controls, integrity-based systems, and so on. All we see is a
bunch of silly MS-DOS viruses that barely work.
This rises yet another question - are the virus writers able to teach
the security specialists to something that the latter don't know
already? Many virus writers sincerely believe that; for instance Mark
Washburn has written his V2Px series of viruses, in order to "prove"
that scanning is unreliable virus defense.
However, it turns out that in all cases the security specialists are
aware of the problems since a long time. Even the concept of a
computer virus and the difficulties connected with its detection and
prevention have been first invented by a security specialist - Dr.
Fred Cohen, not by John Random Virus Writer... In all cases when the
virus writers have come up with something new and original, the
security specialists have thought about it since a long time, but have
been ethical enough to only discuss it in closed circles, instead of
implementing it and releasing it to damage other people's data...
At last, one could ask the question whether Mr. Ludwig's contest is
legal. In the text he boasts it as an "international" contest.
However, this demonstrates an amazing ignorance of the local law in
some countries. Participating the contest and writing viruses for it
may be illegal in some countries, as the recent arrests of the ARCV
virus writing group in the UK have proven. Freedom of expression is a
wonderful right, but Mr. Ludwig should be aware that the US
constitution does not apply to the whole Universe and thus, some
things allowed by it might be illegal in some other countries.
Therefore, anybody who decides to participate Mr. Ludwig's contest, is
strongly advised to consult a local lawyer. Of course, it would be
much better to ponder a bit how unethical the whole thing is and to
refuse to participate the contest at all...
But maybe Mr. Ludwig is not that ignorant, after all. The text of the
contest encourages the participants to use handles and other forms of
anonymity. Maybe this is because Mr. Ludwig understands that those
people might be held legally responsible in some countries for such
activities? In this case, his contest is nothing more than an
incitement to commit a crime (in those countries where virus writing
is considered illegal). I wonder whether some of them have
extradition treaties with the USA...
------------------------------
From: Urnst_Kouch <70743.1711@COMPUSERVE.COM>
Subject: virus-writing contest
What is the danger of Mark Ludwig's international
virus-writing contest?
Well, according to contest rules, the winning virus code is destined
for publication in the second installment of "The Little Black Book"
series.
"Oh, terrible, terrible!," wail anti-virus software developers
throughout the land.
"More virus code in the hands of anyone who wants it!
These miscreants and electronic sociopaths are
already making computing untrustworthy enough!"
Bunk. Publishing any or all of the code collected in Mark Ludwig's
contest won't make any difference. Why? Because there already exists
more well-commented virus source code in general circulation than any
one person has time to analyze. Taxpayers can download it by the
megabyte from the Bureau of Public Dept.'s bulletin board system 24
hours-a-day, no strings attached. Or if you feel the need to be more
"elyte," more "politically correct," it can be had from the favorite
whipping boy of the anti-virus community - shhshhh - your friendly,
neighborhood virus exchange sysop.
Beating on Mark Ludwig for his virus-writing contest, then, strikes me
as stupid. It's hypocritical, too, because as some involved in virus
research know, a great many of the working samples of viruses found on
virus exchange BBS's come attached to "sacrificial goat" files bearing
the trademark of a number of anti-virus vendors. You can find
extremely detailed virus disassemblies on virus exchanges, too. Not so
surprisingly, some of these are composed by the same anti-virus
researchers who whine in electronic publications like Virus-L Digest
about the unrestricted flow of viruses and their source code.
So if the virus-writing contest is dangerous because it subverts the
control of "sensitive" information, the anti-virus community lost that
battle a while ago, soundly beaten by a large number from its own
rank.
Next, do security specialists have something to learn from virus
programmers or sponsors of virus-writing contests? Yes, indeed.
For example, about a year ago I wrote a couple of stories on the
Michelangelo phenomenon for a daily newspaper. In the course of my
research I tried to dig up a few books to recommend to sophisticated
readers.
Mark Ludwig's "Little Black Book" was the only one I could find that
wasn't either horribly wooden or written for someone with the
attention span of a very small child. I endorsed it in the pages of a
daily newspaper. The sky did not fall. The region's computers weren't
besieged by a horde of Ludwig viruses.
In addition, a number of computer security workers within different
arms of the U.S. government already consult virus programmers on
various security problems. When I asked one of them why, he replied
that he didn't want to be backed into relying on the anti-virus
community for advice, advice he saw as too self-serving.
That leaves the question of how to distinguish between "benign" and
"malevolent" virus programmers.
Hmmmmm. That's a tough one, because the picture's more complex than
that. Unless you buy the idea that virus programmers either write
disk-corruptors set to go off with a bang on weird holidays or make
them for courses like Patrick Toulme's "Virus 101," you're stuck
coming up with an answer.
You might decide to go with the popular stereotypes of young men with
too much pent up hostility or unemployed programmers from politically
and economically uncool locales like Russia, Bulgaria and China. But
that dog won't hunt if you think of Fred Cohen.
Or you can try to describe them as "groups" like NuKe, TridenT or
Phalcon/SKISM. And THAT leaves out a great many loners who collect
viruses like stamps and occasionally need to come up with a fresh one
as barter for that new, rare "tunnelling, polymorphic full stealth"
beauty from Outer Slobovia.
These guys could care less whether any virus they have gets into the
wild. In fact, they probably would like to see less of that - keeps
the collection more unique, more "valuable," you see.
Clearly none of these are an answer. So try asking a better question.
------------------------------
From: kim clancy <71011.2056@COMPUSERVE.COM>
Subject: Comments on the Virus Writing Contest
Comments on the first international virus writing contest
by Kim Clancy
My comments on the 1st International Virus Writing Contest is that I
don't care about the first international virus writing contest. I
don't care if someone sits in the privacy of their home and develops a
computer program to destroy every type of computer on the face of the
earth. I don't care if they post them as public information on
bbses, magazines, or print them in books for profit. I don't care! I
believe it is everyones' constitutional right to be able to write any
type of computer code they want, discuss it with others, share the
code and document the process. I believe that to remove this right
from individuals is removing their freedom and individual rights.
On the other hand, I do care about someone intentionally destroying
the property of others. I do care about harm done to others and I do
care about someone planting viruses for that purpose. But, this
contest is not called the "1st International See How Much You Can
Destroy by Planting a Virus Contest." I just don't care (did you pick
up on that yet?)
I know there are hundreds of viruses available. I have many of them
myself, most of them sent to me from anti-virus researchers (that is
another story in itself though.) All the harm that could be done by
viruses could more than likely be done with existing code. Running a
contest asking for better code doesn't appear to offer a significant
threat. At the same time, I can't see any need for such a contest and
fail to understand what good it could produce. Nonetheless,
individuals should have the right to participate in this contest.
By the way, while this may be the 1st International Virus Writing
Contest, I think (although haven't confirmed) that Fred Cohen told me
(on the one and only occasion I talked to him) that he had held a
virus writing contest and offered $1000. He received no entries.
-----------------------------------------------------------------
IN THE READING ROOM: MORE ON "APPROACHING ZERO" (Mungo & Clough,
Random House)
-----------------------------------------------------------------
". . . if the Dark Avenger hadn't existed, it would have been
in [Vesko Bontchev's] interest to have invented him."
-- from "Approaching Zero"
After a year in Europe, "Approaching Zero," a fairy tale
of cybercrime and virus-programming shenanigans, is finally on
bookshelves in a mall near you, courtesy of Random House.
Unfortunately, I've already trotted out the book's only good
quote.
The rest of "Approaching Zero" is sodden garbage wrapped in whiz-bang
entertainment writer-style prose. [Now THAT would make a great
dust cover blurb.]
For example, Clough and Mungo blurt out the claim that 12 million
of the world's 90 million PC's will be infected by viruses in
the next two years. Do they have any support for this? Nope,
you just take their word for it, buddy.
These claims seem the work of seasoned hypocrites, indeed,
when one considers the authors spend a lot of time in
"Approaching Zero" whacking other anti-virus researchers over the
head for making similarly unsubstantiated calls.
But "The universality of the PC culture is reflected by the
provenance of viruses," squawks Hollywood Reporter Paul Mungo at one
point! We forgive our readers for asking, "What the Hell does
that mean?" How would they know it was written so the authors
would be assured an evening on the now-cancelled Dennis Miller Show?
Anyway, by the end of this flatulent book, Mungo and Clough have
even tried to rope in the Doomsday Clock featured on every cover
of The Bulletin of Atomic Scientists. Seventeen minutes away from
atomic disaster is the symbolism of the clock; in like manner
entertainment writer Mungo tries to draw the comparison
toward the PC equivalent of nuclear holocaust in the guise
of the computer virus, never mind the Bulletin has nothing to
do with computer viruses and it's clock has been
moving AWAY from Gotterdammerung since Ronald Reagan left office.
"Approaching Zero's" final paragraph warns balefully of the
Russian LoveChild virus, presumably poised to turn your hard
drive into radioactive cinders. Mungo and Clough don't
include that it's a stupidly buggy virus which hangs
on any PC not using DOS 3.30. [And as obvious on a 3.30
OS as this issue's simple PC Carbuncle.] These are purely
minor points, of course.
--------------------------------------------------------------
EDITORIAL SPOTLIGHT: RASHPUTIN SPEAKS ON THE TRAPS AND
PITFALLS OF CODE REGULATION
______________________________________________________________
Since becoming interested in viruses about three years ago, I have
tried to keep up with advances in virus development, anti-virus
software, and attitudes among various groups interested in viruses.
Since the summer of 1992, there seems to have been an increase in
the number of proposals to outlaw the writing of virus code.
While there have been such proposals in the past, the types of
individuals willing to legally define the creation of virus code
as forbidden fruit appears to have expanded.
Initial proposals were almost invariably made by frightened users
who had just read their anti-virus software documentation, a column
in the popular PC press, or had seen Ted Koppel and several other
talking heads discussing Michelangelo. Of late, these three groups
have been joined by quite a few members of the academic community.
It is the growing presence of such academic advocates that disturbs me.
It is quite natural for users, even so-called power users, to be
upset at the prospect of uninvited and potentially destructive
software mysteriously appearing on their system. Most of these
folks were only introduced to microcomputers after such machines
were very stable and running quite refined applications. To them,
software is a tool to be mastered in pursuit of some other goal.
They are blissfully unaware that even some of the current
'winners' in the software field have grown out of early versions
which were buggy and fragile to the point of being dangerous.
Anti-Virus software vendors are, naturally, willing to overstate the
need for their product, and the risk of doing without it. That
some vendors are even misrepresenting the utility of their product
to the point of outright fraud is nothing new, either. Mini and
mainframe vendors have established a long tradition of such
overzealous sales tactics for both software and hardware.
Columnists, also naturally, are prone to focus an article or headline
on the portion of a subject that is most likely to grab the reader's
attention. To expect popular PC columnists to be consistently well
informed on their subject matter is a bit unreasonable in a society
that does not even expect their news media to be well informed on
issues of national consequence.
Over all, I understand the first three types of individuals who have
been associated with the idea of outlawing virus writing. I cannot,
on the other hand, understand the growing number of academics who
agree with or promote this idea.
Before reviewing what seem to me to be the most worrisome aspects of
these proposals to outlaw virus writing, let me be clear about where
I stand on several specifics.
I do not support the installation of an executable virus on a system
to which the "installer" does not have legal, legitimate access. Nor
do I support the distribution of an executable virus in such a manner
that conceals the presence of the virus to permit the virus to execute
as part of another legitimate executable. Read that carefully.
If a user knowingly installs software containing a virus on a system
to which he has legal and legitimate access, and that virus upon
execution causes damage, then any resulting damage is either an
incidental and acceptable consequence of the user having been
granted access, or it is the result of the user's negligence.
Either way, it is a problem internal to the organization. If
a user obtains an illegitimate copy of a program then the
installation and execution of that program is in and of itself an
illegal act. Consequently, any damage that program
causes, whether through the execution of application code or attached
virus code, is primarily result of the users illegal software piracy.
Again, we have problem within a specific organization.
I have seen many descriptions of the 'virus crisis' used to justify
outlawing the writing of virus code. Most are logically similar to the
following: 'Viruses and their wide distribution threaten the
inter-connection of systems, which is the next major step in
computer system usage and functionality. Unless we can halt this
menace, we will be threatening the integrity and acceptance of such
networks.'
Well, scary indeed. But I can recall when IBM was using almost
identical language to impress upon its clients and potential clients
how the future of software development was being threatened by having
a multiplicity of programming languages in common use
(their solution revolved around getting the entire world to program
in their new language, PL-1, on fine IBM hardware). In my experience,
Mr. Average User's system is most likely to become infected from a
pirated copy of a major software package, not from a Shareware program
downloaded from the local BBS as is commonly assumed. Consider, too,
how much easier it is to tell the boss that there is a virus outbreak
than it is to tell him how well "wild card" file deletion works,
and how little can be recovered after the disk de-fragger has been run.
Things aren't nearly as frightening when human nature is considered
along with the latest reports of virus outbreaks. On top of it all,
I have yet to see anyone talking about collecting the serial numbers
or other registration information for all applications on any system
which appears to have become infected. Maybe the existence of virus code
is called the 'Virus Crisis' because so many people are in a state
of near panic over the possibility of having to start paying for
their software rather than just trading with someone down the hall.
In any event, remedies which seek to control the writing of virus
code rather than the actions which spread live virus executables,
are basically expressions of the theory that users have the
right to be irresponsible. If software vendors distribute programs
containing viruses, then the remedy is to hold software vendors
liable in such instances. If users are installing pirated software
on systems to which they have access, then those users are already
guilty of an illegal act and should be liable for the consequences
of their actions.
While I can personally see the utility of self-replicating autonomous
code similar to a virus, I am willing to believe that many of these
academics have decided that such code is completely useless. Personally,
I believe there is a real need to study such code, especially when one
considers what system management will be like in a world where vast
networks are common. The ideas embodied at this point within virus and
worm code could provide the basis for tools to patch, revise, or
upgrade software distributed across multiple computers on such a net.
A vendor might, for instance, have something of a cross between a
virus and a worm wandering the nets and looking for copies of
specific applications that are in need of the modifications it is
capable of carrying out. Whether this and other thoughts of mine
regarding the utility of virus-like code are silly or sublime, to
outlaw the writing of such code has some serious implications.
Implications that should be apparent to those who are a part of the
academic community. In theory, those in the academic community
are more dedicated to the pursuit of knowledge than most other folks.
Certainly they should be more sensitive to restrictions on various
forms of inquiry than is the average computer user.
I have been rather regularly following several electronic magazines and
conferences where the proper legal definition of a virus is discussed.
These discussions center on finding an extremely clear definition of
a virus so that 'good' legislation can be written. What is notable
to me, but to my knowledge, of little concern in such discussions, is
that the English language is being used to define a very specific type
of software. I am impressed with this because there is a long,
well-documented history of disappointment with the English language
as a software specification language. There is, indeed, an entire
industry built around providing languages, methods, and tools which
supplement or replace English in order to clearly define software.
Furthermore, most of the participants in these conferences seem to
be unaware of the fact that lawyers will probably regard the
definition of a virus as the primary part of any regulation only
until there is sufficient precedent and case law upon which to build.
No matter how well constructed one feels such a definition is, there
will be a great deal of ambiguity in any such virus control
legislation unless specific code constructs are included within the
definition. With specific code constructs as a part of the definition,
however, we could well end up with the law being applied a manner
that would include a great deal of non-virus software. Software that
contains bugs, software that is not sufficiently described or
documented for the user, and software that is capable of being
altered by the user (i.e., macro languages, etc.) could all fall
within the law's domain.
Even if no code constructs are included in such a definition, we will
most likely see major legal battles fought over all kinds of implied
meanings in the law and the definition. Given the man years of
effort and millions of dollars spent to determine whether Apple's
largely stolen 'Look and Feel' were infringed upon by Microsoft,
I can't see how any legislation that defines the writing of specific
types of software as illegal can fail to become a gold mine of
harassment suites and publicity stunts.
The same forums that are frequently used to debate just how to control
virus control through legislation, are rife with rumor and paranoia
regarding the government's involvement in the issue of encrypted
communication. Here we have people who are arguing for the outlawing
of virus writing and in their next breath arguing for premise that the
government should not be able to regulate the quality and availability
of encryption software. This is seen as a way to guarantee that
the rights of private and free speech are ensured, regardless of
the medium one chooses. To hold such an opinion regarding free speech,
yet fail to see the outlawing of virus writing as in no way connected
to it, is extremely narrow minded.
Most threats to our freedom originate with the government endeavoring
to protect us from some popularly perceived threat to the 'public.'
For years, the Soviet Union as nasty enemy provided the basis for
legislation aimed at preventing the bad guys from being able to read
our mail, and to ensure that we could read theirs with as little
effort as possible. That era apparently over, how will the
government justify its' continued interest in reading its' citizens
mail? What better than a major threat to the millions of honest,
hardworking, PC users who could have their systems shut down by
some virus? Will the nation's competitiveness go down the
porcelain punch bowl if we allow virus code to be written and
distributed? To my knowledge, the obvious weakness of a given piece
of logic has never kept the government from taking action based on
that logic. However lame 'virus control' efforts may seem as a
reason to regulate the quality and availability of encryption software,
I feel sure that the effort to connect the two will be made if there
is any legislation that outlaws the writing of virus code.
Yes, I can just hear the old excuses rising once more in Senate
hearings: 'Unless we're able to decrypt network packets, how can we
do the types of spot checks or monitoring of known virus groups
required to ensure that virus code is not being written and even
distributed under our very noses? Without that ability, Senator,
we cannot enforce the virus writing ban that the Congress has enacted.'
The last but most frightening aspect of the desire to outlaw virus
writing is the small matter of freedom of speech itself. While most
participants who advocate banning of virus writing would permit
'legitimate' virus research to continue, there appears to be a
consensus that only academics and anti-virus software vendors are
legitimate researchers. While I have yet to see a discussion of
how a person outside these two groups could become classified as
a legitimate researcher, I have seen discussions regarding
which sub-groups within the academic community should be permitted
to write new virus code as opposed to only studying the code from
existing viruses. Geeez. The "Elite Academic Virus Writer's Chapel"
hasn't even been built yet, and some folks are already trying to
define the hierarchy of the priesthood.
And I don't see how writing code that can be turned into a potentially
damaging executable by passing it through a compiler or handing it
to an interpreter is all that different from any other written material.
Jesse Jackson and David Koresh read the same Bible, after all, but
interpret it quite differently. Given that a faulty compiler or
interpreter can obviously execute the 'code' contained within the
Bible in some nasty ways, why shouldn't the printing of Bibles be
prohibited right along with virus code? If we are going to start
altering constitutional freedom of speech guarantees, why not freedom
of religion guarantees as well?
It appears that the existing laws were sufficient to prosecute and
convict the author of the Internet worm. It also appears that more
than a few folks felt that existing laws were sufficient to unjustly
prosecute Steve Jackson Games. If there had been a few more
absurdities available to throw into the Steve Jackson Games case, we
might well have seen a much different result. Even with Steve Jackson
off the hook for now, there will be further attempts to define
existing laws in a way that provides for more governmental control of
our electronic meeting halls.
Well, that covers those aspects of the anti-virus movement that I
personally find most troubling. There are other issues, but they aren't
nearly as open-ended as the few I've covered. Don't let the issue of
outlawing the writing of virus code just slide past you. While I doubt
that such legislation being on the books would convince any virus writers
I know to just hang up their coding spurs and join the local 4H club,
I do think that such a law could well become the basis for other
actions that could eliminate or restrict major portions of the
electronic realm in which we meet.
---- RashPutin'
-== Rashputin has been involved in programming and systems development
since 1975, working on a wide variety of systems for clients who
have ranged from the Defense Department to Willie's Video Stop.
Since 1983 he has been an independent consultant specializing in
distributed database development. Recently retired, he now spends
most of his time helping others find alternatives to traditional
gang-banging development methods.==-
------------------------------------------------------------------
IN THE READING ROOM II: FRED DAVIS'S "THE WINDOWS 3.1 BIBLE"
[$28.00, PeachPit Press] OR, "WHAT THOSE HYPERBOLIC DUST COVER BLURBS
REALLY MEAN"
__________________________________________________________________
Fred Davis's "Windows 3.1 Bible" is one of the typical 1,000+
page computer manuals (book is a term that doesn't really
apply, a book is something I read for enjoyment) which
currently stuff up the shelves of mall shops everywhere. They
are, in essence, "books" for people who are stupid enough
to believe it's easier to absorb a 1000+ page $30 manual than
the 250+ page manual already included with their software
packages.
Nevertheless, like horseflies at the outdoor swimming pool, manuals
by Fred and his ilk must be dealt with by everyone. So in the
spirit of public service, the Crypt Newsletter has decided to give
you a tutorial on how to interpret the blurbs and cues
on Fred's book jacket so that YOU can make a good consumer
choice.
Here we go:
When lollipop business and technology journalist Gina Smith
of the San Francisco Chronicle says,
"Fred Davis tells it like it is," she really means, "If
you're looking for a book that tells you what all those
cryptic Windows 3.1 error messages REALLY mean, this one ain't
it either.
"But I want to write a computer book, too, someday and Fred's
a big deal, y'know."
When Ziff-DAVIS Labs employee Andrew Eisner writes "Fred Davis is
a visionary and all-around computer wizard," he really means,
"Look where I work! Do you expect me to tell the truth about Fred
and foul my own nest?"
When Fred's dad writes this blurb on his son's book, "While Fred
was growing up, I was an IBM bigwig and his mom was an English
teacher. Fred was actually raised from birth to write about
computers," HE REALLY MEANS,
"Yeah, I think having your Pop write a recommendation for you
is really Mickey Mouse, too. But what the hey, I'm from
IBM and quite comfortable with all kinds of quasi-fraudulent
marketing gimmicks."
And when this book tells you on its spine that it "Includes
a coupon for FREE book and FREE disk," IT REALLY MEANS,
"Remit $6.00 cash money for your FREE goods or go to Hell."
------------------------------------------------------------------
VIRUS COMPLEXITY: IS THAT COMPUTER THINGIE A RIVAL TO THE
BIOLOGICAL REAL THANG?
------------------------------------------------------------------
In "Artificial Life," the hated Steven Levy maintains that one of
the simplest natural viruses has less complexity than the Brain
virus. From that he builds the idea the computer viruses are
close to being alive.
The Crypt Newsletter has always believed this is crap, the kind of
nonsense which anyone can come up with if they massage numbers
for too long.
If we start with the Brain virus and assume its length is approximately
three thousand bytes, you can make the case that each byte contains
8 bits of information. Using this argument the Brain virus, at most,
contains 24,000 pieces of information.
The trick at this point, if you're going to compare computer viruses
with biological ones, is to make a yardstick which will relate
that figure to some corresponding value of a biological virus.
If we take a typical human virus like influenza we can get a value
of 200,000 for an approximate number of nucleotides which make up
the viral core, it's genome, it's control center. Each nucleotide
consists of one sugar molecule, one phosphate molecule and one of
the four "bases" - guanine, cytosine, adenine, thymine - which
almost everyone has heard bandied about on programs like "Beyond
2000!" Each of these molecules consists of varying numbers of
carbon, hydrogen, nitrogen, oxygen and phosphorus atoms.
If we count all the atoms, we're left with a partial aggregate
molecular weight for the virus which includes only it's core,
not its protein shell composed of structural materials and enzymes
which give the virus a great deal of its activity. As a naked
strand of DNA, the virus contains all the information it needs
to create a copy of itself. However, by itself the genetic material
of the influenza virus is not particularly viable. This is where
it differs a great deal from a computer virus. Computer viruses
are - for the sake of our discussion - naked strings of instructions
and that's it.
So before you're completely lost let's cripple our discussion slightly
for simplicity's sake and consider only the nucleotide length of
a biological virus. We can estimate that each three nucleotides
are responsible for one amino acid - the basic building blocks of the
proteins which give the biological virus activity and structure.
Dividing 200,000 by three, we come up with a maximum amino acid
count of approximately 70,000. If we compare the Brain computer
virus's bit count to this number, the influenza virus is 3 times
more complex, but on the same order of magnitude.
If we consider one of the most complex computer viruses, The Whale,
it has a bit count of between 56-80,000. For our use, equivalent
to the 70,000 for influenza. But there's something amiss here.
The Whale is barely functional and can usually be coaxed into
replicating only once or twice before crashing the host machine.
By contrast, the influenza virus is a model of efficiency - The
Whale is not even worth comparison. If you believe in God, it's
clear he does a better job. In addition, the influenza virus
could be said to be in an almost constant state of self-mutation
and evolution, requiring a new vaccine every year. Neither The
Whale or Brain are analogous. One anti-virus scanner cures all,
until some dupe decides to mutilate the original code.
While this argument makes for interesting comparisons, it's by
no means complete. It is difficult to relate the complexity of
a biological virus to a PC virus simply because the information
in it is not defined 100% by a string of naked instructions.
The chemical complexity of nucleotides is not comparable to
the complexity of instructions like "mov ax, offset file_name".
It is, obviously, much greater.
As a last comment to keep you scratching your head, consider
the biological character known as the "viroid." The "viroid"
is a mere fragment of genetic material which can replicate
in a host cell. An average viroid is about 300 nucleotides
long, or contains about 100 bits of information by our above
model. The OW overwriting virus, by our arguments, has about
240 bits - a bit <heh-heh, couldn't resist> more than the
typical viroid. Viroids aren't considered even close to being
alive by many microbiologists, but rather examples of
very active replicating molecules.
-= Urnst Kouch received his Ph.D. for analysis of proteins
and mechanisms of pathogencity in microorganisms.=-
------------------------------------------------------------------
IN THIS ISSUE: THE PC CARBUNCLE VIRUS
__________________________________________________________________
Included in this issue is the source code for the PC Carbuncle.
The PC Carbuncle is a hybrid spawning/overwriting "toy" virus.
Placed in any directory, the PC Carbuncle will search out all
.EXEfiles and rename them with .CRP [for Crypt] extents. The
virus will also copy itself into the directory as a hidden file
and create "companion" batchfiles for all the renamed hosts.
The "companion" batchfiles contain commands to run the PC
Carbuncle, switch the renamed host file back to its
original state, execute the host, rename the host back to its .CRP
extent and execute the Carbuncle once again.
If the user is employing a nice graphical interface, the host
files will be seamlessly executed by the Carbuncle's fabricated
batchfiles. All the host files can be renamed back to their
original .EXE extents and the batchfiles deleted.
However, there is a catch to this plan.
Randomly, the PC Carbuncle will copy itself to 3-6 of its
host .CRP files, destroying them. If the user discovers the
new batchfiles and hidden virus, CARBUNCL.COM, deletes
them and renames the hosts back to their original state, the
PC Carbuncle can re-infect the whole directory if any of the
hosts were infected by the virus in its overwriting stage.
Since the virus's overwriting stage destroys the host, it limits
this action to a few files in the directory, leaving the
remainder of the programs undisturbed.
The basic code of the PC Carbuncle is open to plenty of futile
tinkering. The number of host files overwritten can
be easily changed as well as the frequency with which the virus
toggles into its overwriting mode. The virus can also be edited
to include just about any message in its batchfile by simply
editing the second data area containing "CARBUNCL" to something
like "ECHO Your dumb message comes here". [N.b.: If you do this,
recognize that the PC Carbuncle is called a second time to clean-up,
i.e., to ensure all .EXEfiles in the current directory are always
renamed as .CRPfiles. If altered, it reduces the PC Carbuncle's
efficiency slightly. Plus a "gotcha" message is even more a dead
giveaway then the arrival of 20 or so new .BATfiles in an
overcrowded directory.]
The PC Carbuncle is not currently scanned. And data integrity
checksummers which do not notice the disappearance or renaming of
files in a directory are useless, a failing more common than
most think. And since the virus ONLY overwrites programs renamed
in a fashion not currently recognized by anti-virus software,
these radical changes to executable code, while obvious to an
educated user, are invisible to many brain-dead program
designs.
Nevertheless, since it is such a primitive companion virus, it
is hard to imagine the Carbuncle spreading off of one machine.
To someone used to the DOS command line, the virus is immediately
noticeable, if momentarily puzzling. On a machine employing a
graphical interface, however, the virus could be missed. Since the
PC Carbuncle does not alter all of its hosts, it might
*theoretically* operate beneath a pretty menu for some time
after an initial vigorous round of infection. Or at least until
the virus overwrites a .CRPfile that's regularly used. [What, you
don't think so? I've seen many instances of users thoroughly
confused by the appearance and disappearance of bloated temporary
and swap files on many machines.]
Of course, if the Carbuncle overwrites a .CRP file larger than
65k, even if the file is renamed back to its .EXE extent, DOS
won't run it. In addition, PC Carbuncle infected machines will
occasionally generate "bad parameter" error messages. [This is
due to random bits of electronic garbage which DOS infrequently
puts in the PC Carbuncle's batchfiles as they are being written.
The extra data does not corrupt the behavior of the virus, but
does result in random, meaningless error messages.]
The PC Carbuncle contains no hazardous code other than the
idiot savant routine which causes it to overwrite "infected"
.CRPfiles.
The Crypt Newsletter is indebted to alert reader Nikademus for his
contributions to the code of the PC Carbuncle.
-------------------------------------------------------------------
FICTUAL FACT/FACTUAL FICTION: WAMPETER, FOMA AND GRANFALLOONS
___________________________________________________________________
The Crypt Newsletter Fly-On-The-Wall reports that the March
IEEE Security Conference in New York City was a grand flop.
Plagued with a small turnout of about 150 security experts,
the conference came up with little more excitement than the
ejection of Virex developer Ross Greenberg for being "too
commercial," whatever that means. [Informed sources say this
translates as, "seen reaching into your trousers for a business
card."]
Panda Systems' Pam Kane was also removed by security personnel,
perhaps for wearing a red dress.
"Joe Smith" of Phalcon/SKISM was not removed.
---*---
Another virus construction tool cropped up in Southern California
in the last month. Alert reader Lookout Man snagged a copy and
reported that the documentation promised production of polymorphic
and full stealth viruses. Grand claims, indeed, when one considers
the toolkit came with an "extraction utility" which was merely a
renamed version of PKZip. The toolkit archive itself was password
protected.
To get the password, the user was asked to call either of two
phone numbers, or contact a POB drop in Industry, CA. One of
the phone numbers was disconnected, the other answered by someone
claiming mistaken identity.
----*----
The next Virus and Security Conference in Varna, Bulgaria, will
feature a guided-tour of the Bulgarian Virus Fabrik, or Bulgarian
virus factory as it has come to be called in the western news
media. The tour, conducted by Vesselin Bontchev, will include
a bus ride to Betguano, the location of the factory, halfway
between Varna and Sofia. After viewing the facility, sequestered
in a renovated chapel, Mr. Bontchev and virus factory manager
DaV invite guests to a complimentary happy hour where quantities
of local champagne and Ripple will be mixed in a rare Bulgarian
cocktail called Champipple.
----*-----
Crypt Newsletter editor Urnst Kouch will be featured in an 18-page
interview in the April issue of Gray Areas magazine. Gray Areas
is an emerging publication which deals with controversial
issues and personalities in 1990s America. The magazine can be
found at WaldenBooks, Barnes & Noble, Bookstar and many alternative
music stores nationwide.
---*----
McAfee Associates Inc. has wasted little time in voicing
its opinion of Microsoft Corp.'s new MS-DOS 6.0 Anti-Virus.
Junk it is, they imply, and it will not be a substitute for
their firm's own virus-fighting programs.
In a press release from Santa Clara, Calif., the company, "Based on
initial responses from its customers, which include 66 of the
Fortune 100 companies, McAfee concluded that the virus protection
found in MS-DOS 6.0 is not a solution for corporate virus
protection."
John McAfee continued by saying the new set of utilities in
DOS 6.0 fail to deliver features or benefits to those of
independent utilities. "In particular, Microsoft will
have a difficult time matching the level of technical expertise and
customer service for anti-virus software that is currently offered
by McAfee Associates."
Unlike Microsoft, "Users have direct access to the company," said
the statement, "through its customer support department, online
services which provide 24-hour electronic support, and through a network of
independent authorized agents around the world."
". . . Central Point Software, the company that provided the virus
protection software for DOS 6.0, has a 61-percent virus detection
rate for the most recent version of its anti-virus product, according
to an independent certification [ED. - reference VSUM] done
in March 1993 against 1,956 viruses. This compares to a 96-percent
detection rate for McAfee's virus protection software, according to
the same certification."
Now all this sounds like sour grapes but alert Crypt Newsletter
readers already know the McAfee criticisms are valid. Central Point
Anti-virus has, in the past, proven extremely vulnerable to a
variety of standard virus techniques including polymorphism, spawning
infections and minor variants of common viruses like Jerusalem.
In a related matter, Microsoft Anti-virus cannot handle as simple a
virus as this issue's PC Carbuncle for reasons explained within
the newsletter section devoted to the virus.
---*---
SOLOMON'S ANTI-VIRUS TOOLKIT GETS A FACE-LIFT: The recent version
of this anti-virus software sports a newly revamped menuing system
which modernizes the look of the Toolkit but retains all of the
features trusted by long-time users.
-------------------------------------------------------------------
THE CRYPT NEWSLETTER IS MOVING!!
At the end of April, the Crypt Newsletter will be relocating to
more spacious editorial offices in sunny Southern California.
Users of Crypt InfoSystems need not be alarmed. Within arrival
at the new offices we will be back on-line 24hr a day at 14.4 bps.
To smooth the transition, current users of Crypt InfoSystems are
encouraged to leave e-mail for Urnst Kouch at CIS or the newsletter's
INTERNET and COMPUSERVE addresses containing a mailing point. Those
supplying addresses will receive a postcard informing them of the
Southern California phone number. The new number will also be
published on BBS's where one usually finds the newsletter. Do to the
nature of the electronic medium, we don't expect a transcontinental
jump to disrupt publishing.
Urnst Kouch can always be reached at Micro Information Systems
Services BBS in Santa Clarita, CA, ph #: 1-805-251-0564/9600 bps.
---------------------------------------------------------------------
THIS ISSUE'S THANKS AND A TIP O' THE HAT TO ALERT NEWSLETTER READERS
SANDOZ, LOOKOUT MAN, MOOSE, THE FLY-ON-THE-WALL AND CORY "I AM
PERSONAL FRIENDS WITH THE WHACKO FROM WACO" TUCKER.
____________________________________________________________________
Included in this issue of the newsletter are the following files:
CRPTLT.R14: this electronic document
CARBUNC.ASM: source code for the PC CARBUNCLE virus
TOTOSRC.ASM: source code for TOTORO DRAGON virus
CARBUNC.SCR: DEBUG scriptfile for PC CARBUNCLE
TOTO.SCR: DEBUG scriptfile for TOTORO DRAGON
To assemble files into live viruses, use your favorite assembler
on the assembly listings or use the MS-DOS program DEBUG.EXE, to
manufacture the viruses from their respective scriptfiles.
At the DOS command prompt type:
DEBUG <*.scr
where *.scr is the virus scriptfile of choice. After a few moments,
DEBUG will have assembled the live virus in the current directory.
ATTENTION: While anyone who enjoys computers can read the Crypt
Newsletter, fiddling with the viruses presumes at least a feeble
grasp of the rudiments of the PC operating system. If you view your
computer as a mysterious machine with only an on/off switch and
seemingly a mind of its own, enjoy the Crypt Newsletter but do
not execute the included viruses. To paraphrase author and
programmer Mark Ludwig, "You will be as a child playing with a
loaded gun."
Computer viruses will attach themselves to various examples of
executable code on your machine. While doing this, they will purposely
or accidentally mangle your data and the resources of your machine.
New computer viruses often add themselves irreversibly to files
on a computer, necessitating that the file be erased before unhindered
computing continues. If a user is not familiar with the basic
behavior of computer viruses, it is entirely possible and even
probable that a new computer virus will disappear into the code
of his/her machine and only be found after it has messed things up
quite thoroughly. If you value your $50 PC games, do not know how to
handle viruses and/or have only one machine on which you do all your
critical computer chores, it would be wise to read a few issues
of the Crypt Newsletter and look over the supplied code carefully
before fiddling carelessly with something even as innocuous as the
PC Carbuncle.
The Crypt Newsletter can be found at the following BBS's:
CRYPT INFOSYSTEMS 1-215-868-1823
DARK COFFIN 1-215-966-3576
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
RIPCO ][ 1-312-528-5020
AIS 1-304-420-6083
CYBERNETIC VIOLENCE 1-514-425-4540
THE BLACK AXIS/VA. INSTITUTE OF VIRUS RESEARCH 1-804-599-4152
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
REALM OF THE SHADOW 1-210-783-6526
THE BIT BANK 1-215-966-3812
CAUSTIC CONTAGION 1-817-776-9564
The Crypt Newsletter staff welcomes your comments, anecdotes,
thoughtful articles and hate mail. You can contact Urnst Kouch at
CIS BBS, CSERVE#:70743,1711 or Internet: 70743.1711@compuserve.com