home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Hack-Phreak Scene Programs
/
cleanhpvac.zip
/
cleanhpvac
/
MVUPDAT3.ZIP
/
MACRO_AV.ZIP
/
MACRO010.TXT
< prev
next >
Wrap
Text File
|
1996-05-01
|
18KB
|
346 lines
TEGWAR: THE EXCITING GAME WITHOUT ANY RULES -or- COMPUTER VIRUS
FUNNY BUSINESS WITH WINWORD DOCUMENTS
In the baseball move "Bang the Drum Slowly" actor Michael Moriarty
plays a star pitcher who, in cahoots with one of his team's managers,
scams baseball groupies and assorted chumps out of their money with
a card game they call TEGWAR. TEGWAR isn't a game, it's a con in
which Moriarty and a cohort dupe people into falling for a pigeon
drop where they make up a mystifying set of rules masked by the ruse
of a legitimate card game. Of course, since no one can win a game
with no logical rules, Moriarty - or his accomplice - always pocket
the designated pigeon's betting money. When Moriarty's friend, a
dim-witted catcher played by Robert DeNiro, comes down with Hodgkin's
Disease, Moriarty finally lets him on the excellent secret of
The Exciting Game Without Any Rules, TEGWAR.
*
"DoD is dripping in Word Concept virus . . . "
-- An excitable fellow and insider who would
rather not be named.
*
Crypt Newsletter is now going to let you in the secret of one of the
software industry's latest versions of TEGWAR: the dilemma of the
Microsoft Winword viruses.
Taking advantage of the nature of Microsoft's Word for Windows, the
Winword viruses exploit an automatic function embedded in special
Microsoft Word documents. What this boils down to is that executable
instructions buried within documents prepared by Microsoft Word can be
written to perform the basic function of a computer virus: Make a copy of
itself and attach itself to another target. In this case, Winword
documents.
Designed to execute commands or executive routines embedded in
special documents - called .DOT files - Word has proved an excellent
culture dish in which to breed simple computer viruses. Because of
reasons which include the large installed user base of WinWord,
the way people promiscuously share documents produced by it, the
outwardly innocuous nature of the Word Concept virus (the most common
of the "macro viruses") and the lack of prompt interest in the
problem by Microsoft, the "macro virus" problem has run out of control.
A recent press release by the National Computer Security Association
stated even Microsoft has been snakebit by Winword viruses.
Predictably, this has led to a great deal of spilt blood in institutions
blind-sided by rapid distribution of the virus.
However, the idea of "macro viruses" wasn't surprising. Back in 1993
Crypt Newsletter published just such a virus for the Telix PC
communications program. [1] It infected other Telix sub-programs --
called scripts - which were simple lists of commands recorded into
files and executed on-the-fly by Telix. An example of this type of
sub-program, or script, could be one that called CompuServe and
retrieved personal electronic mail.
As it was written, the Telix script virus, named LittleMess, quickly
flashed a Stoned virus-type message on the screen, "Legalise Marijuana."
The possibility of this type of computer virus was also addressed by
examples written elsewhere in computer security circles predating
even then. However, LittleMess and others like it remained extremely
obscure curiosities. Winword viruses are anything but.
PART II: LOTSA CONSIDERATION
*
"Thank you very much, <put your name here>, for your thoughts.
This is something I've been giving a lot of consideration of
late. Sincerely, Bill."
---Bill Gates form reply to electronic mail.
[Uncovered by David Applefield, March 1996]
*
What has been a surprise about Word macro viruses is the industry
response to them. To understand the absurd nature of it, Crypt must
construct a parable minus the jargon and baffle-speak used in the
usual generic attempts to describe the Word "macro virus" problem.
Now, for the sake of our story, let's pretend for a moment that
Microsoft manufactures VCR's instead of operating system and business
office software. Microsoft has a dominant share of the market and has
just made a new model VCR. This model isn't significantly fancier than
the previous model -- just newer with some bells and whistles that
are nice but not absolutely essential.
Of course, lots of people immediately buy these VCR's and start playing
rented videotapes in them. Someone who's tinkering around or has
too much time on his hands, discovers that if he makes a minor,
almost invisible change or scratch in the plastic case of a rented
tape, it introduces a problem into the new VCR. This scratch makes
a part called the frammis fail. The frammis is put slightly out of
line and whacks the videotape housing and an adjacent part, called
the neo-frammis, also inside the VCR. This doesn't ruin the
videotape but it puts the same scratch into it, if it didn't have it
already. After a day, maybe a week, maybe longer -- development of
the frammis/neo-frammis whacking makes tapes being played show
up intermittently during play with an annoying white mistracking line
on the TV. No amount of fiddling with the tracking adjustment on the
VCR will fix it. Our tinkerer thinks this is clever and he's feeling
mean so he rents a tape - the most popular title, something like
"Busty Babes of the Bayou," "The Toolbox Murders" or "Forrest Gump" -
from Blockbuster. He puts the scratch in the videotape's housing and
returns it.
Now it has the potential to spread to everyone who has the Microsoft
VCR and rents this tape in the region.
Months later Microsoft VCR owners are calling the company in outrage.
Their VCR's are screwed up and local repairmen don't know what to
do.
[Now, in one possible world, Microsoft issues a massive recall,
identifies and solves the problem, and returns new, different
VCR's not susceptible to the problem to consumers. End of the
frammis/scratch problem except for those people who for some reason or
another don't follow the recall. Eventually, they stop using the
VCR or buy a different brand. Microsoft takes a big financial hit
for the quarter, but - hey - it's part of the business.]
However, in our world Microsoft sends a pack of cheap screwdrivers,
a replacement frammis that sometimes doesn't work and instructions
on how to fix the VCR printed on a paper the size of a chewing gum
wrapper. The instructions are written in Pig Latin. Quite naturally,
a lot of people can't fix the problem.
Other industry vendors rush to provide a solution. They supply a set
of slightly less cheap screwdrivers, a replacement frammis that
works 75 percent of the time and instructions printed on a paper
that's the size of a legal pad but which no one bothers to read,
anyway.
More and more Microsoft VCR's play all screwed up but no one
seems too concerned. They keep buying the model. Everyone is
trained to use this model of VCR and they won't switch models because
they're afraid they won't be able to use other VCR's and will lose
the ability to rent and enjoy videotapes.
Microsoft even issues a few thousand free sample tapes that are
messed up with the frammis-buggering case flaw. This spreads the
problem even further -- generally to people who have VCR's that aren't
already messed up with it.
Eventually, well-meaning but clueless techno-geeks at Lawrence
Livermore National Lab issue a product advisory on the VCR. It
describes the problem and a new one that's slightly different
but more hazardous. The new one makes the frammis and neo-frammis
misbehave so wildly a big spark comes out of the front of the VCR,
frying the circuitry and ruining the VCR. Since the rental tape that
introduces the problem melts when this happens and cannot be returned
it never spreads as far.
The Lawrence Livermore National Lab memo reaches a lot of
people but 90 percent don't read it because it's too long. They
will only read things that don't exceed a half page or a screenful
of information. The Livermore National Lab warning [2] is pages and
pages of daunting techno-gobble. The ten percent that persist in
reading to the end have trouble grasping it because of language
like this:
"If you don't have the Microsoft cheap screwdriver and replacement
frammis set, you can use the Organizo-frammis to find and remove
the broken Frammis without making things worse. The first step is to
start the VCR and open the Organizo-frammis box. There are two ways
to open the Organizo-frammis box: 1. use the Tools Neo-Frammis
and press the Organizo-frammis; 2. use the File Omega-frammis
and depress the Organizo-frammis. In the Organizo-frammis box,
flip the Frammis switch, click the Open Frammis button, locate the
malfunctioning frammis and neo-frammis and close everything up. Back
in the Organizo-frammis box, select all the Frammises listed
in the file Omega-frammis and flick the off button to remove them.
Flick the Close Omega-frammis switch to install the new Frammis.
The Frammis is now fixed."
Frustrated, many home owners and businesses can't deal
with the Frammis problem-plagued VCR from Microsoft. While it's possible
to fix the contagious frammis scratch, bureaucratic entropy, apathy,
confusion and institutional impediments inevitably result in failure
because:
(1) Many victims of it cannot understand how the fix is to be made.
The national lab warning was terrifying in its difficulty to understand.
Microsoft's cheap screwdriver set doesn't work very well.
(2) Many victims don't have the time or expertise to fix the VCR right
so the de-frammis'd VCR becomes re-frammis'd very quickly -- about
as soon as they rent another videotape with the same contagious scratch
on it. This often happens two or three times before victims junk the
damn thing.
(3) Some victims bought a different frammis repair set from another
vendor but it only works part of the time or if they decide to use it.
Mostly they don't use it, though, because they don't care about their
frammis'd VCR.
(4) Many victims' bosses won't let them fix the frammis'd VCR because
it would cost money. Besides, says the boss, "We have someone whose
job it is to fix these things, thank you! But he doesn't answer
voice-mail today or was skinned by an ogre, I'm not sure which. Now
stop bothering me or I'll downsize you the next time we massage the
stock price for our shareholders."
(5) Or, victims think the frammis'd VCR is how all VCR's are supposed
to be.
A year later Microsoft markets a new, improved VCR not as susceptible
to the problem but the people who have the old, brokedown VCR's don't
get any trade value. They have to pay Microsoft just like everyone
else does. So some just stumble on with their crippled VCR's. Some
other VCR manufacturers who previously made VCR's that worked fine
all the time make new models capable of being screwed up as badly as
the Microsoft model even though they've known about the problem and
laughed at it for some time. This is called progress.
Now, if you retell Crypt's story to someone else we can here them
shout: "Hey, that's crazy! No way that could happen or they'd burn
people at the stake in those companies."
However, with a little cut and paste you can just plug Word viruses
back into the place where I put "frammis" and Word 6 for "VCR." Now
they'll say: "Yeah, it really stinks, but what can we do?"
This makes the Word "macro viruses" an almost perfect example of
TEGWAR - an exciting game without any rules - in the software industry.
The consumer or PC user in an institution uses Microsoft Winword
and is largely unaware that specific electronic documents handled
by it have the potential to bite him. Microsoft ignores the
phenomenon just long enough so it becomes solidly established
then generates a "fix" that works poorly and which must be
embroidered by other vendors. Still more software developers
jump into the breach with cures and advice - which take money - and
that don't guarantee anything because they are poorly understood,
poorly designed or a combination of the two.
Those trapped in Word macro virus TEGWAR lose money trying to
burrow through the electronic trash heaps of on-line services,
sifting and downloading information and software they can't
understand most of the time. They twist and turn in a seemingly
endless maze, buying software only to find it's the wrong software
for them. Squirming, they buy the correct software only to find
an obdurate supervisor won't let them use it throughout the
institution.
Increasingly aggravated, those infected by Word virus TEGWAR sometimes
see that pathogenic documents have the potential to spread the viruses
in interesting ways through heterogenous combinations of machines and
software with only one thing in common: Word's micro-environment.
But they also find that anti-virus software designed to control
infections is not quite so flexible.
Goaded by the lash of fragmentary, gossipy on-line electronic
phlogiston passed on as the biblical wisdom of computer gurus,
others trapped by Word virus TEGWAR run about in a blind frenzy
searching for Word "macro virus" protective software until realizing
in a moment of stunning clarity that they don't _use_ Winword!
So, the only rule that is a constant in Word virus TEGWAR is that
if you play, you lose cash money.
*
"Thank you very much, <put your name here>, for your thoughts.
This is something I've been giving a lot of consideration of
late. Sincerely, Bill."
---Bill Gates form reply to electronic mail.
[Uncovered by David Applefield, March 1996]
*
Additional notes:
1. The virus written for the Telix communications program was
originally called LittleMess. It was programed by a Dutch virus-writer
who travelled cyberspace under the handle of Crom-Cruach. Crom-Cruach
reasoned LittleMess was of only trivial interest because he thought few
people used the programming language interpreted by the Telix program
-- which his computer virus exploited -- for anything important. The
name of the programming language interpreted by the Telix software is
SALT. Hang in there because this is a point of serendipitous interest.
The US Navy also runs (or ran) telecommunications software it
calls - you guessed it -- SALTS. The Navy's SALTS terminal is a simple
Windows or DOS-running PC using little more than an off-the-shelf version
of Telix driven by a series of custom made Telix sub-programs (or "macros")
that create an elaborate communications system for the computer. The
SALTS program is an acronym for Streamlined Automated Logistical
Transmission System. The SALTS software used on Navy PC's is responsible
for logistical support and satellite-borne communications jobs ranging
through inventory and tracking of ship stock, software
management/distribution, Internet sessions and the sending and receiving
of electronic mail and USO telegrams. Since the software running on the
SALTS terminal is written in the same programming language exploited by
the LittleMess Telix virus, the SALTS PC can be easily infected by it.
In the average Telix-using hobbyist PC envisioned by the hacker
Crom-Cruach in 1993, this amounted to barely a few infections of
predominantly non-essential computer files. However, on an average US
Navy SALTS computer terminal, the same virus would create a much more
massive infection since the military's software relies on hundreds of
sub-program files that could serve as hosts for LittleMess.
2. The following text appeared in a Lawrence Livermore National Lab
alert on Word Macro viruses. It was supposed to be a clear
tutorial on ridding yourself of the Word macro viruses by hand.
No, Crypt Newsletter isn't tweezing it for effect:
"If you don't have a scanner or the protection macro, you can use the
Organizer to find and remove macro viruses without infecting your
system. The first step is to start Word and open the Organizer dialog
box. There are two ways to open the Organizer: 1. use the Tools Macro
command and press the Organizer button; 2. use the File Templates
command and press the Organizer button. In the Organizer dialog box
click the macros tab, click the Open File button, select the infected
document and click OK. Back in the Organizer dialog box, select all the
macros listed in the file and click the Delete button to remove them.
Click the Close File button to close and save the file. The file can now
be opened normally."
Crypt Newsletter challenges PC "help desk" employees to read that to
someone over the telephone.
Here's some more strangled syntax from the same memo:
"PROBLEM: Word macro viruses are no longer an isolated threat, but
they are a significant hazard to the information on a computer."
In fairness, the Lawrence Livermore National Lab memo, also known
as "CIAC (Computer Incident Advistory Capability) G-10: Winword Macro
Viruses," is an honest attempt to get some information on
a real computer hazard into as many hands as possible. It's also
possible for someone with good powers of concentration and a
middling-to-exceptional grasp of PC computing systems to wring
useful information from it. However, more and more, these types
of bulletins serve only to emphasize the disastrous point that the
average PC user in the home or business environment and the people
generating the technology very rarely speak language that is mutually
understood. That's a gold-plated guarantor for interesting times.