home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
nk-info4.arj
/
VCLNEWS.DOX
< prev
Wrap
Text File
|
1992-08-18
|
12KB
|
221 lines
**************************************************
"VCL In The News" or "Preaching to the Committed
On CSERVE's VIRUSFORUM" - analysis by URNST KOUCH
**************************************************
What follows are a number of messages gathered from CSERVE's
VIRUSFORUM concerning the VCL and related topics. Those
who frequent the forum know that it's a SIG dominated by the
opinions of 3 or 4 moderators from McAfee Associates and
the NCSA. Now and then, some hapless, but earnest, schmuck
will pop up to express interest, curiosity or admiration
for various examples of dangerous code. That's when all
the corporate stiffs jump in and club the poor fool to death
for his temerity. I've included a few texts [with comments
where appropriate] to illustrate the rather petty nature of the
electronic witch-burners.
--------------------------------------------------------------------------
Subj: Virus Creation Utils Section: Virus News & Views
From: C. Rutstein [NCSA] 75300,3104 # 12129, 3 Replies
To: All Date: 08/09/92 16:40:11
Hiya, folks. I'm writing to get reaction on a disturbing trend on "the
other side". Several virus-writing groups have now taken it upon
themselves to create virus creation utilities to aid both them and
others in writing viruses.
The first, of course, was the Virus Construction Kit, from Germany
several years ago. This was a fairly rudimentary toolkit which went
almost nowhere.
We've all certainly heard about the next major utility...Dark Avenger's
Mutation Engine (MTE). As a linkable module, it allows a second-rate
virus author to create a sophisticated polymorphic virus.
But what if you're not even a second-rate author? Well, a fellow called
Nowhere Man with a group called [NuKE] has written the Virus Creation
Laboratory, which allows you to create a virus by picking items from a
menu. The toolkit is done using Borland's TurboVision, meaning that
it's got all the nice little touches...pull-down windows, shadow boxes,
mouse/color support, etc. With it, virus creation is brought to the
masses...at least according to the accompanying documentation. In
reality, all the viruses that can be created with it can be detected
with about a dozen scan strings. No real problem.
[So sez Charles Rutstein.
In the real world, the latest F-PROT (2.04) did NOT detect any of
a number of test VCL variants I manufactured in an afternoon. It will
detect some unencrypted samples as Vienna-related. However, if the
simple encryption device is turned once, the detection slips. The
early-August VIREX release was ineffective, too. But don't expect
to see this mentioned on CSERVE.
However, it's naive to think that later versions of anti-virus
products won't detect VCL 1.0 variants.
In truth, the templates for basic spawning, overwriting
and .COM-appending viruses and their search structures
can be spotted. But the beauty of the
VCL is that it is open-ended. By shot-gunning custom sequences or
novel routines into basic VCL code, unscannable or locally virulent viruses
can and will be generated far more quickly than ever before.
The brute-force scanning approach
will lag, probably badly. And this is the idea behind Nowhere Man's VCL.
-Kouch]
The latest utility is from Phalcon/Skism, another domestic
virus-authoring clan. While I haven't yet had the time to break it
apart, it seems similar to the VCL, yet command-line driven. I suspect
it will have the same shortcomings as the VCL.
So, what's next? We've now seen three such utilities in the past few
months, as opposed to only a about half a dozen since 1987. Clearly,
this looks like a trend. I'm sure we can expect menu-driven authoring
systems with MTE support very soon. [Charles Rutstein cribbed
this from the docs to VCL 1.0. Nowhere Man clearly states that
this is a goal of VCL development.- Kouch] What scares me more is what's
next...I can't even imagine. Sounds like more work and headaches to
me. I could live without 'em. Comments?
Charles Rutstein
NCSA Section Co-SysOp
----------------------------------------------------------------------------
Subj: Virus Creation Utils Section: Virus News & Views
From: Mark Hamilton 100013,600 # 12138, 1 Reply
To: C. Rutstein [NCSA] 75300,3104 Date: 08/09/92 20:01:26
Charles,
Nowhere Man: Um, yes, now he raises one or two rather interesting
questions. This is the character who is claiming copyright on the
viruses created using his VCL - including on any signature strings
'extracted' for use in anti-virus programs. Recently on this forum,
another virus writer [Mark Ludwig, author of "The Little Black
Book of Computer Viruses" (American Eagle Publishing, Tucson, AZ)- Kouch]
claimed copyright and threatened to sue anyone who
infringed his rights. I publicly challenged him to sue me as a result of
my posting a message giving hexadecimal search patterns to one of his
viruses: two months on and I'm still waiting for the writ!
[Hamilton dissembles. This never happened. Hamilton had opened discussion
on the forum on Ludwig's book and stated something to the effect that
the published code was buggy, useless and a hazard. Ludwig tried to
defend himself by stating that the bugs were a
result of typos and that drawbacks of some of the viruses were mentioned
in the text. This is true. Typos marred the code of the TIMID
and INTRUDER virus listings. These were corrected in a second edition and
were not present on the book's companion disk which, apparently, Hamilton
failed to notice. Enraged by Hamilton's attacks on CSERVE, Ludwig
threatened to sue him for libeling his reputation and the book's veracity,
NOT for posting a rudimentary search string. Why would Ludwig be
enraged by this? After all, he included a program to find the INTRUDER
virus with the book and disk. Hamilton is so full of shit in this regard,
he squeaks.
Further, Hamilton responded by inviting Ludwig's libel suit.
This all became increasingly silly when Ludwig was invited to speak
at the NCSA convention in Washington, D.C. and then denounced
by almost everyone. In other words, Ludwig acted in good faith
and was set up to take a professional whack anyway.
Understandably, Ludwig no longer posts much in response
to queries about his book on the CSERVE forum. This is rather
unfortunate. - Kouch]
The situation is that, just like any computer program, viruses can be
copyrighted providing that they are original works. It could be argued
that a virus built using a construction kit is not an original work and
therefore not copyrightable. It is permitted, under the Berne
Convention, [What in Sam Hill is this nonsense? This is pure 'Boy, am I smart!'
grand-standing, typical of the posts on the VIRUSFORUM. - Kouch] to select
extracts from copyright works for 'review' or
'illustratory' purposes (it is the work as a whole that is protected,
not extracts). In the case of viruses, these extracts are the search
patterns. Providing these extracts (search patterns) are published by
those who use them, no copyright infringements have taken place.
Of course, it is going to be a very brave, or stupid, person who
attempts to enforce his copyright if his work is a virus. [I guess he just
doesn't appreciate Nowhere Man's sense of humor. - Kouch.] The courts may
view that a virus is excluded from copyright protection on the grounds
of either public interest or that it has been released into the public
domain in a way disclaiming copyright.
Nowhere Man distributes and supports his wares through a West Coast
bulletin board run by the Phalcon/Skism group (of whom quite a lot is
known already in anti-virus circles) and mentions two of McAfee
Associates personnel (among others) in VCL's documentation.
This anarchic [anarchic? A made-up word. More 'Boy am I smart!' stuff. -Kouch]
group should be tracked-down and prosecuted - there is now
precendence [sic] for doing this: David Blumenthal and Mark Pilgrim (from
Cornell
[>> Continued in next msg]
Subj: Virus Creation Utils Section: Virus News & Views
From: Mark Hamilton 100013,600 # 12139, 1 Reply
To: Mark Hamilton [sends messages to himself, doesn't want
anyone to let them pass into obscurity too quickly - Kouch.]
100013,600 Date: 08/09/92 20:01:00
[>> Continued from previous msg]
University) will stand trial later this year for distributing a Mac
virus on bulletin boards and could be imprisoned for upto four years.
Mark.
----------------------------------------------------------------------------
Subj: Virus Creation Utils Section: Virus News & Views
From: SysOp Aryeh Goretsky 76702,1714 # 12164, * No Replies *
To: C. Rutstein [NCSA] 75300,3104 Date: 08/10/92 12:24:04
Hello Charles,
Instead of virus writers writing new viruses, they'll just use these
toolkits to make viruses that are already detectable by anti-viral
software.
[Simply not true. However, it never
hurts to gladhand the 'accepted wisdom' of your senior colleagues! - Kouch.]
Regards,
Aryeh Goretsky
--------------------------------------------------------------------------
Subj: Virus Creation Utils Section: Virus News & Views
From: SysOp Spencer Clark 76702,1713 # 12179, 1 Reply
To: C. Rutstein [NCSA] 75300,3104 Date: 08/10/92 14:47:15
I honestly think the generic costruction kits have a long way to go
before they really challenge the anti-viral industry.
[Pure ego here, Spencer. Why does the anti-virus industry feel
it's the only one being challenged? Hasn't it occured to Clark that
the multiplying viral population primarily challenges the average PC shmoe,
whether the anti-virus industry comes up with some cumbersome
"magic bullet" or not? Just because effective software exists
doesn't mean anyone's going to use it. This isn't a novel
idea. Think of HIV virus & rubbers. But I realize what you're driving
at: It never hurts to gladhand the 'accepted-wisdom' of your senior
colleagues! -Kouch.]
What really amazes me is who has time for such ambitous efforts with
infamy being the ONLY satisfaction for these people. They don't get
money, fame only in certain circles, and it is doubtful they can can
impress their dates with this stuff <g>. If they get dates <G>.
[OOh, that's mean Spencer - a silly ad hominem attack of the type
the Republicans are so good at. However, I do know what you're getting
at: It never hurts to glad-hand the 'accepted wisdom'
of your senior colleagues! (And yes, I do know I'm repeating myself for
all you lip-readers in the cheap seats. Every read any Vonnegut or Hunter
Thompson?) -Kouch]
Spencer Clark <sysop>
----------------------------------------------------------------------------
So you see the VCL, Nowhere Man, NuKE and Phalcon/SKISM keep the lights
burning on CSERVE's VIRUSFORUM. But NOTHING stops the moderators from
eventually getting back to telling each other how smart they are while
avoiding substantive talk about how well scanners are really doing
against new virus developments.
Keep up the fine work!
--Kouch
____________________________________________________________________________