home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Phoenix Rising BBS
/
phoenixrising.zip
/
phoenixrising
/
vir-docs
/
v05i119.txt
< prev
next >
Wrap
Internet Message Format
|
1992-09-27
|
41KB
From: Kenneth R. van Wyk (The Moderator) <krvw@CERT.ORG>
Errors-To: krvw@CERT.ORG
To: VIRUS-L@IBM1.CC.LEHIGH.EDU
Path: cert.sei.cmu.edu!krvw
Subject: VIRUS-L Digest V5 #119
Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU
--------
VIRUS-L Digest Tuesday, 23 Jun 1992 Volume 5 : Issue 119
Today's Topics:
"Do you detect the MtE?" (PC)
A problem with F-Prot 2.04 (PC)
Lets not forget the "little people" (PC, sort of)
1530 Virus (PC)
McAfee VIRUSCAN Mirror sites (PC)
pc-emulators and Re: F-PROT & DRDOS (PC & Unix)
Hardware protection (PC)
Imprecise scanners (PC)
Re: Zipped Viruses (PC)
Azuma (PC)
Yet another McAfee agent goofed... (PC)
Drive Conflict with VSHIELD (PC)
SCUD Virus ??? (PC)
Re: No Frills 2/3 Scanner needed! (PC)
Re: Request for Info on PC-Cillin (PC)
Re: scan 91 et al - reported as trojan?? (PC)
Re: Virus Program for a Macintosh? (Mac)
Re: Theoretical questions
COMPUTER ETHICS CURRICULUM KIT
Call for Papers - EICAR Conference, December 1992
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. (The complete set of posting guidelines is available by
FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with
your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU
(that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks).
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on cert.org (192.88.209.5). Administrative mail
(comments, suggestions, and so forth) should be sent to me at:
<krvw@CERT.ORG>.
Ken van Wyk
----------------------------------------------------------------------
Date: 17 Jun 92 09:04:58 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: "Do you detect the MtE?" (PC)
We just got a visit at the VTC from a person who worked for an
anti-virus company. He told us that their users keep calling them and
ask "Can you product detect the MtE?". So he decided to come and have
their product "tested" against the MtE - he wanted a kind of
certification that the product is able to detect these viruses...
Till now everything seems OK, but their product was not a scanner! It
was a monitoring program... :-) Therefore, it had no problems to
detect the attempts of the three silly MtE-based viruses to spread. Of
course, it completely missed some advanced tunneling viruses like Dir
II, but this was not their concern - they "detected the MtE"!... :-)
The level of ignorance of some people, as well as the common
misconception that "anti-virus program == scanner" has always amazed
me... Therefore I decided to post this message, so that at least the
readers of Virus-L/comp.virus can get the things right. Most of you
probably know already the things that I am going to explain, so sorry
for the wasted bandwidth.
As Yisrael Radai has posted recently, there are about 13-15 different
kind of anti-virus programs. However, most of them can be grouped into
three main types: scanners, monitors, and integrity checkers.
Scanners are programs that look for a sequence of bytes that is likely
to be present in all infected files (because it is present in the
virus) and not to be present in the non-infected ones. Scanners are
relatively easy to maintain and update, but are unable to detect
unknown viruses and tend to be be too large and slow when the number
of viruses known to them exceeds a certain limit.
The polymorphic viruses are an attack against the scanning programs.
They constantly modify themselves, so that each new copy of the virus
looks differently. Since there is no sequence of bytes which is
present in all variants of the virus, they cannot be detected with a
simple scan string. A more advanced (algorithmic) approach must be
used. The MtE-based viruses are extremely polymorphic, therefore they
pose a problem to the scanners. So the correct question is: "Is your
scanner able to detect the MtE?". If the product is really the
scanner, then the correct answer is either "yes", or "no" - such
things as "in 99.99% of the cases" are nothing more than marketing
tricks and mean "no". If the product is not a scanner, then the
correct answer is "Our product is not a scanner (it is a monitor, or
an integrity checker), so it has no problems to detect the current
MtE-based viruses".
Stealth viruses are also an attack against the scanners. When active
in memory, these viruses subvert the disk access requests to the
infected objects, so that they look as non-infected. The correct
question here is "Is your scanner able to detect (and possible
deactivate) the currently existing stealth viruses in memory?".
The monitoring programs constantly monitor those functions of the
operating system that are likely to be used by viruses, and either
deny them entirely, or each time ask the user for confirmation. Unlike
the scanners, they are not virus-specific and need no updating.
However they cause a lot of false positive alerts and tend to be too
obtrusive to the user.
Viruses which attack the monitoring programs are called "tunneling".
They are able to "tunnel" through the protection by calling DOS or
BIOS directly. Due to the lack of memory protection under DOS, -any-
monitoring program can be bypassed. There are about a dozen different
tunneling tricks, most of which cannot be stopped.
The polymorphic viruses pose no problems to the monitoring programs -
if they do not use tunneling, of course. However, a virus could be
both polymorphic and tunneling, therefore evading both scanners and
monitoring programs. The current three viruses that use the MtE are
only polymorphic. They are not tunneling.
At last, the integrity checkers periodically compute some kind of
checksums of the executable code and watch them for modification. The
basic idea is that a virus is a program which infects other programs
(according to Fred Cohen's definition) and therefore causes
modifications to them.
If implemented and used correctly, an integrity checker is able to
find any virus. The integrity checkers are not virus-specific, so they
don't need updating. Their main problem is that they detect
modifications, not viruses, so often cause false positives.
Neither the polymorphic, nor the tunneling viruses pose any problems
to the integrity checkers. The stealth viruses do however, as well as
some other forms of attacks, specific to the integrity checking
software. Most of these attacks can be prevented by designing the
integrity checker in a more intelligent way. The only problem is that
the developpers of integrity checking software must be aware of these
attacks and take the necessary steps against them. A paper describing
these attacks, as well as what has to be done in order to prevent
them, is going to be presented on the Virus Bulletin conference in
September. As soon as the paper gets published, I'll make it available
for anonymous ftp.
The correct question in the case of the integrity checking software is
"Is your program aware of the possible attacks against the integrity
checking programs and what do you do to stop the stealth viruses?".
While the stealth viruses cannot be stopped in all cases (regardless
what the marketoids are trying to tell you), several steps can be
taken to stop most of the known stealth techniques. Of course, the
only foolproof method is to always boot from a non-infected
write-protected system diskette before doing any virus hunting.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 17 Jun 92 20:35:04 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: A problem with F-Prot 2.04 (PC)
I just tried F-Prot 2.04 on our virus collection. Seems to be
amazingly fast and showed a very high detection rate. There is one
problem, however.
The EXE files infected by any versions of the Dark Avenger virus
(1800, 2000, 2100) are recognized correctly, but flagged as e.g.,
"Infection: Dark Avenger (1800) - Modified (536 extra bytes)". Don't
worry if you see this message - it is not a new variant of the virus,
but a bug in F-Prot.
These viruses are quite widespread, so I thought that I'd better post
this publicly. The bug has been reported to Fridrik Skulason, of
course. Some other viruses (e.g. SVC) are also flagged as "modified"
in the EXE files, but these viruses are not so widespread.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Wed, 17 Jun 92 15:17:40 -0700
From: rslade@sfu.ca (Robert Slade)
Subject: Lets not forget the "little people" (PC, sort of)
An interesting comment forwarded to me this week ...
13-JUN-1992 20:54
From: MUKLUK::DAVIDPM "David P. Maroun, Vancouver PC LUG editor"
Subj: McAfee's SCAN
A note on McAfee's SCAN version 8.9B, which I recently tried out: The
program requires more memory than previous versions did, and also
needs MS-DOS 3 or higher. When I tried running this SCAN under
Rainbow MS-DOS 2.01 or 2.11-1, or under IBM PC-DOS 2.1, the program
just said it could not open "" to compute a checksum. On the other
hand, the program's '/M' option now lets it scan Rainbow memory.
Since I usually use '/CHKHI' to scan memory, the advantage is largely
lost for me, while the inability to run under MS-DOS (or IBM PC-DOS)
2.xx is a serious handicap. Possibly SCAN can be renamed so that it
can find itself under the older versions of the operating systems, but
so far I have not been able to determine the required name.
=============
Vancouver ROBERTS@decus.ca | Life is
Institute for Robert_Slade@sfu.ca | unpredictable:
Research into rslade@cue.bc.ca | eat dessert
User CyberStore Dpac 85301030 | first.
Security Canada V7K 2G6 |
------------------------------
Date: Thu, 18 Jun 92 02:32:07 +0000
From: satmech@ecst.csuchico.edu (satmech)
Subject: 1530 Virus (PC)
Just recently, I found a few .COM files on my system infected with the
1530 Virus. Norton AV and an old version of scan wouln't detect it,
only scan90 and scan91 found it. Can someone tell me more about this
particular virus or where to find detailed info on it?
Thanks.
satmech@cscihp.ecst.csuchico.edu
------------------------------
Date: Thu, 18 Jun 92 03:00:49 +0000
From: ins894r@aurora.cc.monash.edu.au (Aaron Wigley)
Subject: McAfee VIRUSCAN Mirror sites (PC)
Are there any restrictions on making McAfee's VIRUSCAN software
available for anonymous ftp, ie distribution to individual users?
I have been making VIRUSCAN available for access by Students
at Monash University freely, but recently someone has queriedd
the legality. In an obvious Panic I have suspended access to it,
pending what I hear.
Can anyone refer me to McAfee? Their Internet Email address if
they have one, or if need be Snail mail addresses (preferably in
Australia).
Aaron Wigley
ftp@yoyo.cc.monash.edu.au
------------------------------
Date: Thu, 18 Jun 92 15:47:00 +1200
From: "Mark Aitchison, U of Canty; Physics" <PHYS169@csc.canterbury.ac.nz>
Subject: pc-emulators and Re: F-PROT & DRDOS (PC & Unix)
frisk@complex.is (Fridrik Skulason) writes:
> HRZ090@DE0HRZ1A.BITNET (Dr. Martin Erdelen) writes:
>>1) What does the message "invalid program" mean?
On the same subject , I found F-PROT's heuristics were getting upset
over some .COM files recently - which puzzled me until I looked at
them... they were copied from a VAX where .COM files are text! (Moral
of story: not all .COM and .EXE files on a PC might be PC programs).
But corrupted programs are more likely, of course - if the file size
is a multiple of 512 bytes it may be that a copy was made some time
when disk space was short - not all copying programs delete the
partial file in such cases. Another great way to get a corrupted file
is to use an old version of BACKUP which puts a whole lot of nuls at
the start, then copy the file from diskette instead of use RESTORE.
>>2) Several users reported problems when trying to run VIRSTOP (v.
>> 2.01) under DR-DOS v. 6.0.
> ...
> Well, it does not seem to happen on all machines - I know of people
> using DR DOS 6, who are using VIRSTOP without any problems whatsoever.
Is it related to the order in which things are loaded, or what is
loaded, I wonder?
And now for something completely different...
I've just been playing with a PC emulator for Unix called pcm (free
software from Electronetics, Inc; I don't know an address for them).
It has some limitations which might be an advantage for virus
spotting. I thought of using a Data General DG10 for virus spotting
(it has two processors; the 8086 has to ask the minicomputer's
permission to access any files; IO is easily trappable). In a similar
way this PC emulator (with source, goody gumdrops!) could be tailored
to watch for anything out of the ordinary (the only problem at the
moment is it traps too much!) Has anyone tried doing such things
before? If not, is anybody else interested in the modified emulator
(built mainly for Unix environments, it seems)?
Mark Aitchison.
------------------------------
Date: Thu, 18 Jun 92 09:25:18 +0000
From: raju@dcs.qmw.ac.uk (Daryanani)
Subject: Hardware protection (PC)
In recent weeks I've been seeing a growing number of advertisements
for boards that plug into PCs and supposedly protect the machine not
just from currently known viruses, but from viruses that have not even
been written yet. The latest board I've come across is from Certus
and is called Novi (or something like that). The first such hardware
device I came across last year claimed that it monitored the bus for
virus activity at all times & hence stopped them from working. In
discussions with some other persons who were interested in stopping
viruses we came to conclusion that as far as detection of new viruses
was concerned this claim was a load of crap. To me these boards seem
especially vulnerable since a virus writer who had access to one can
specifically write his virus to detect the presence of the board and
circumvent it.
Since I'm no expert on viruses, just someone who's has enough problems
with them already, I was wondering what those more knowledgeable about
viruses than me think about these boards.
Raju
- --
Raju M. Daryanani
raju@dcs.qmw.ac.uk
------------------------------
Date: Thu, 18 Jun 92 11:23:34 -0500
From: Stefano Toria <MC0170@mclink.it>
Subject: Imprecise scanners (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) says:
> SCAN is -very- unreliable for virus identification. NEVER believe it
> anything it says about the virus name, number of viruses found, or the
> virus' properties (in VIRLIST.TXT). The only thing it does pretty good
> is to tell you whether the object (file or boot sector) is infected
> (with anything) or not.
> ...
> Solomon's Anti-Virus ToolKit has better identification, but still not
> good enough (it doesn't always make the difference between variants
This is not the first time that I read this assertion, either on
VIRUS-L or elsewhere. I would be very much interested in some detailed
facts, such as names of strains and variants that SCAN and/or Solomon
get mixed up with.
Thanks in advance.
- -------------------------------------------------------------------------
Stefano Toria <mc0170@mclink.it> |
MC-link, Rome, Italy | "Fatti non foste a viver come bruti,
Voice: (+ 396) 4180300 | ma per seguir virtute e conoscenza"
Fax: (+ 396) 8413057 |
- -------------------------------------------------------------------------
------------------------------
Date: 18 Jun 92 19:00:01 +0000
From: vail@tegra.com (Johnathan Vail)
Subject: Re: Zipped Viruses (PC)
sbonds@jarthur.Claremont.EDU (007) writes:
mwb@wybbs.mi.org (Michael W. Burden) writes:
>Even better yet: Make sure you get a clean copy of your anti-virus
>tools BEFORE you get infected, put them on a floppy, write protect
>it, and NEVER run these programs from the hard disk.
Always the best thing to do before starting any sort of virus scanning.
Would it be feasible to write a virus defense package that would ONLY
run after booting from a clean, write-protected floppy? The
programming aspect is fairly straightforward, but would people accept
a product like this? Ideally it would include a known clean copy of
DOS with it, but this could cause problems with copyright laws, etc.
Ideally it would boot itself and not use DOS or BIOS at all. Do all
its own disk I/O. Or maybe it would have to use BIOS after all for
SCSI and other non-pc-standard disks.
Of course, this is only good for scanning which by itself is of
limited value.
jv
Law of Stolen Flight: Only flame, and things with wings.
All the rest suffer stings.
_____
| | Johnathan Vail vail@tegra.com (508) 663-7435
|Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet)
----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu)
------------------------------
Date: Thu, 18 Jun 92 15:14:35 -0500
From: Mike 'the one with the grenade' Potaczala <POTACZAL@ucf1vm.cc.ucf.edu>
Subject: Azuma (PC)
I am trying to find out more information about the Azuma virus. I
could not find anything on it in the McAfee documentation and McAfee
did not detect it. Norton Anti-Virus did find it, but the person who
has this virus problem does not have documentation for Norton
Anti-Virus and therefore I wasn't able to check it. I would
appreciate any information on this virus that is available.
------------------------------
Date: 19 Jun 92 15:30:49 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Yet another McAfee agent goofed... (PC)
Hello, everybody!
We received yet another bulletin, issued by a McAfee Associates agent.
This time he not only misinterprets our test results, but tells plain
lies to his customers. Unfortunately, the original text is in German,
so I am posting here a rough translation.
- ---------cut here--------
Mutating Engine is no longer a danger for protected computers
As reported by KIRSCHBAUM SOFTWARE, users of VIRUSCAN should not
be afraid of the new generation of mutating or polymorphic viruses.
Version 91 (from june 1992) safely detects all viruses developed
under use of the fearful mutating engine.
Since her first appearance in European BBSes at the beginning
of this year, Dark Avenger's Mutating Engine lead to worries among
experts. In the past viruses like Jerusalem or Michelangelo had
characteristic and unique identifications to detect them. With the
Mutating Engine now nearly every programmer is able to write a
mutating and therefore hard to detect virus.
...
It is not known where exactly from the engine is. ...Dark Avenger
took part in this development.
Since version 90 VIRUSCAN uses a new virus detection technique, based
on statistic and numeric analyses. MTE is detected by its presence
instead of a byte by byte check. Due to recent experiences VIRUSCAN
was able to detect all viruses build by the Mutating Engine safely.
In total VIRUSCAN is now able to detect app. 1300 viruses out of
nearly 600 families. Kirschbaum Software supplies more information
about the conditions to use McAfee products.
Kirschbaum Software GmbH
Kronau 15
W-8091 Emmering b. Wbg.
- ---------cut here--------
Kirschbaum is an official agent for McAfee Associates in Germany
(listed in the file AGENTS.TXT). What he says is a plain lie. VIRUSCAN
version 91 is UNABLE to detect the MtE-based viruses reliably. The
tests of the VTC-Hamburg clearly demonstrated it.
The following programs SUCCEEDED to detect ALL Fear (an MtE-based
virus) mutations that were generated during the tests (9468):
UTScan 23.00.12 (the scanner from Untouchable)
F-Prot 2.04
FindVirus 4.20 and above (the scanner from Dr. Solomon's Anti-Virus ToolKit)
VirHunt 3.1A (the scanner from Data Physician Plus)
VIRSCAN 2.2.3A (IBM's scanner)
AntiVir IV 4.03 of June 9, 1992 (reports two viruses if the virus is
not encrypted)
Note that our tests are not able to prove that a particular scanner
detect the virus in all cases; they are only able to find if it is NOT
able to detect the virus reliably.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Mon, 22 Jun 92 10:23:20 +0700
From: Vincent Tracey <aeusg-hd-po-s@heidelberg-emh2.army.mil>
Subject: Drive Conflict with VSHIELD (PC)
Hello Netters,
HELP!!
I loaded the McAfee Vshield 4.9V91 onto Zenith 248 systems
with the /CHKHI switch set. The VShield programs are in a separate directory
C:\mcafee which is included in the autoexec.bat path command. These systems
run MS DOS 3.30, BIOS 3.30.05 and a config.sys of 25 files and buffers.
No devices are loaded via autoexec or config files.
My problem is - when searching diskettes via DIR A: - the floppy
drive (360K) returns a directory listing of the first disk, when a second
diskette is searched the listing from the first diskette is returned.
When Vshield is deleted from the system the directory listings work
fine. We have had several virus attacks recently (Jer B and Stoned variant
- :-( , and our higher headquarters requires McAfee protection be used.
I am not schmart enough to figure out the problem. Any/ALL help
will be greatly appreciated. Please respond via e-mail to below addresses.
Also I am interested to know if anyone else has experienced this
problem.
Thanx,
Vincent Tracey E-mail: traceyv@heidelberg-emh2.army.mil
Security Investigator aeusg-hd-po-s@heidelberg-emh2.army.mil
BSB-HD Security Office Phone: (049)6221-57-8054/6456
APO AE 09102 DDN 370-8054/6456
/////////// INFORMATION SYSTEM'S SECURITY IS EVERYONE'S BUSINESS \\\\\\\\\\\\
------------------------------
Date: Tue, 23 Jun 92 01:44:03 +0000
From: fveillet@sobeco.com (f.veillette)
Subject: SCUD Virus ??? (PC)
Hi There!
A friend of mine without Net access, asked me some infos about
the SCUD virus on PCs. I don't know much about viruses, then the
question is:
Where can I find a scanner and a disinfectant program (a Patriot???)
for this virus?
Thanks in advance for your help.
- --
Francois Veillette
fveillet@sobeco.com
------------------------------
Date: 23 Jun 92 07:49:59 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: No Frills 2/3 Scanner needed! (PC)
chore@neumann.une.oz.au (Prince Of Darkness) writes:
> I have a suspicion that i have the No Frills virus on my pc, i've been
> looking for a scanner to find out for sure, but have been unable to
> find one, can anybody help.....It's no frills vers 2 or 3, and i've
> heard it can do screwy things to your FAT, i've had nothing really bad
> happen yet, but a friends computer has, and so have others he's had
> contact with, so i think he may have given it to me, are there any
> non-comercial scanners out there that can detect No frill sna d kill
> it? If not what's the best (qand cheapest) commercial scanner that
> will get rid of it?
How could I help you if you do not provide enough information? Here
are a couple of questions:
1) Why exactly do you think that you have a virus? Any symptoms that
make you think so?
2) Why do you think that the virus is called "No Frills"? I have never
heard about a virus with such name...
3) What anti-virus software are you using (name, brand, version
number, mode in which you are using it)?
For more information about how to reports a possible infection and
what information to provide if you want the people who are
knowledgeable about computer viruses to be able to help you, please
read the FAQ list.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 23 Jun 92 07:54:30 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Request for Info on PC-Cillin (PC)
aeusg-hd-po-s@heidelberg-emh2.army.mil (Vincent Tracey) writes:
> Has anyone any information concerning a virus protection system
> called ** PC-cillin **.
Yes, I have played a bit with the package. I do not recomend it.
> The only information I have is a claim that it
> can - stop - all known virus'- ?:^(
Nonsense. The version that I have is even unable to stop the Dir II
virus.
> The package includes an RS 232 device
> for *trapping* virus'.
Not exactly. It includes a dongle with some CMOS RAM in which it
stores the partition table data (only the data, not the entire MBR!)
and a checksum for the MBR. The idea is to automatically restore it if
a virus messes it up. This is very insecure; can be fooled relatively
easily; leads to a disaster if a practical joker exchanges the dongles
of you computers and so on.
Except that, the package is generally a monitoring program (a la
FluShot). It claims to use Artificial Intelligence (!) to detect
virus-like behaviour. In fact, it is a simplistic rule-based system (6
rules and no learning), which decides whether the detected behaviour
is really due to a virus. Causes less false positive alerts than most
other monitoring programs, but can be bypassed just as easily, using
only a combination of the known virus techniques.
My guess is that the dongle trick aims to prevent pirating of the
software - it is much more secure and advisable to store a copy of the
boot sectors on a floppy, instead of in a dongle. I have spoken
several times with both the developpers of the product and the
distributors, explaining them how their product can be bypassed, what
can be done to make this at least a bit more difficult, and why it is
not wise to make claims like "stops all possible viruses". They never
took my advice.
As a conclusion: an insecure and generally bad product, which
provides a false sense of security. Don't buy it.
> Any assistance in this matter is appreciated.
Hope the above helps. Note that it is my own oppinion and impression
of the product.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: 23 Jun 92 08:07:18 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: scan 91 et al - reported as trojan?? (PC)
tyers@rhea.trl.OZ.AU (P Tyers) writes:
> site I would appreciate comment. The versions I distributed were sourced
> from the mirror site archie.au and the validate results matched the message
> on comp.virus (Message-ID: <0019.9205301711.AA42463@CS1.CC.Lehigh.EDU>
> Date: 28 May 92 23:21:22 GMT) from mcafee Associates.
> All executables passed a scan by scan89b as well.
> Do I have a potential problem?
Probably not. The VALIDATE checksums are relatively easy to forge, but
nobody has done it yet. The main problem is to get the checksums from
a reliable source - and comp.virus is one.
The trojanizations of the program that I have seen (with other
versions) involved forging the documentation which lists the
checksums, the -AV autentification of the ZIP archive, and SCAN's
internal self-check routine. You have no way to protect yourself from
the last two. The only way to protect yourself from the first one is
to get the checksums from a reliable source (different from the
package). This still does not exclude the possibility to modify the
program in such a way that neither their size nor their checksums
change, but it makes it rather unlikely, since it will involve writing
a virus which does not modify the file size and forging a CRC which is
a LCM of two CRC-16s.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Sat, 20 Jun 92 01:12:00 +0000
From: lev@rsdps.gsfc.nasa.gov (Brian S. Lev)
Subject: Re: Virus Program for a Macintosh? (Mac)
I wrote...
>One that I like a *lot* is John Norstad's "Disinfectant" (currently at
>version 2.8) -- it's free, and it works! It's available via FTP from
>an almost infinite variety of sites on the Internet... if you have a
>problem doing FTPs, contact me and I'll be glad to send you a copy of
>the "MacSecure" anti-viral tool kit we use here at Goddard (it's based
>on Disinfectant and includes some neat HyperCard stacks as well).
Well, I've gotten several requests, so here's the MacSecure info I so
conveniently left out... The package is available via Annonymous FTP
and/or DECnet COPY as follows:
via Anon FTP:
- ------------
% FTP nic.nsi.nasa.gov (...or you can use the address 128.183.112.71)
NSINIC.GSFC.NASA.GOV> user anonymous
Password: (your Email ID)
NSINIC.GSFC.NASA.GOV> cd [.SOFTWARE.MAC] (this is a VMS system, use brackets!)
NSINIC.GSFC.NASA.GOV> get MACSECURE35.HQX (binhexed version, use ASCII mode)
-- or --
NSINIC.GSFC.NASA.GOV> get MACSECURE35.SEA (self-extracting archive, use BINARY
transfer mode)
via DECnet COPY:
- ----------------
COPY NSINIC::DISK$NSINIC:[ANONYMOUS.FILES.SOFTWARE.MAC]MACSECURE34.HQX
-- or --
COPY NSINIC::DISK$NSINIC:[ANONYMOUS.FILES.SOFTWARE.MAC]MACSECURE34.SEA
That's it! If anyone has questions, feel free to Email me...
- -- Brian Lev
+----------------------------------------------------------------------------+
| NASA SCIENCE INTERNET NETWORK INFORMATION CENTER |
| Code 930.6, Goddard Space Flight Center |
| Greenbelt, MD 20771 USA |
+----------------------------------------------------------------------------+
| Phone: 301-286-7251 FAX: 301-286-5152 |
| NSINIC::NSIHELP or help@nic.nsi.nasa.gov or NSIHELP@DFTBIT |
+----------------------------------------------------------------------------+
------------------------------
Date: Thu, 18 Jun 92 12:15:00 +1200
From: "Mark Aitchison, U of Canty; Physics" <PHYS169@csc.canterbury.ac.nz>
Subject: Re: Theoretical questions
BAN@hdc.hha.dk (Homo homini lupus!) writes:
> 3) Cohen notes a weakness in his defence model S3 (p. 155; Fred Cohen:
> "Models of Practical Defences Against Computer Viruses", Computers &
> Security, vol.8, no.2, s.149-160, 1989 ) - S3 is based on a checksum
> approch, which means that checksum( pi ) = checksum( pj ) for some
> programs pi and pj of a length greater than the checksum [my inter-
> pretation]. Relating that to the fact that most intregity checkers
> today is checksum based, and to the discussion considering MtE and
> 100% detection, isn't this a fundamental weakness in the checksumming
> concept.
Yes, but (assuming the checksum is long enough, and it isn't a trivial
"sum" which could be recalculated by a virus, so you're into the area
of viruses simply being lucky) the probability can be made very low
(comparable with a yellow and green 747 piloted by an eskimo falling
from the sky and hitting the computer).
> 4) When using MtE to exploid the "not 100% detection weakness" of
> scanners, it would seem worthwhile to give one own mutation a higher
> probability. This means, that if five programs survive the scanning
> in the first round, and each make say three times more copies of it
> self than of other permutation, it will mean approx. 20 will survive
> round two. This is exponential growth rather than as before linear
> growth (of course this will not increase the chance of survival in a
> checksumbased check).
Yes, that would prompt people to take "proper" action when getting
such a virus. I'm not a great fan of disinfecting infections - rather
reload the originals of everything, but there's still going to be the
need for either your idea or a true 100%-detecting scanner (since
backups might be infected). There still is a problem, of course ...
even if a scanner gets 100% of MtE there could be other ones (MtE2??)
it doesn't know about.
Mark Aitchison.
------------------------------
Date: 22 Jun 92 17:25:31 +0000
From: maner@andy.bgsu.edu (Walter Maner)
Subject: COMPUTER ETHICS CURRICULUM KIT
TEACHING SOCIAL AND ETHICAL IMPLICATIONS OF COMPUTING:
A "STARTER KIT"
The Research Center on Computing and Society at Southern
Connecticut State University and Educational Media Resources, Inc.
(a not-for-profit organization specializing in educational
programming) have assembled a "Starter Kit" for teachers who wish
to introduce social and ethical implications of computing into
their computer science or computer engineering classes. The "Kit"
can also help computer science departments fulfill national
accreditation requirements (CSAC/CSAB).
The "Starter Kit" includes three video tapes and two monographs:
VIDEO TAPES: No. 1--Teaching Computing and Human Values (45 min.)
No. 2--What Is Computer Ethics (45 min.)
No. 3--Examples and Cases in Computer Ethics (45 min.)
MONOGRAPHS: No. 1--Teaching Computer Ethics (110 pages)
No. 2--Computing and Social Responsibility:
A Collection of Course Syllabi (142 pages)
Further information is available from the Research Center on
Computing and Society at Southern Connecticut State University:
E-Mail: RCCS@SCSU.CTSTATEU.EDU
Phone: (203) 397-4423 (Center and answering machine)
FAX: (203) 397-4681
Walter Maner
- --
InterNet maner@andy.bgsu.edu (129.1.1.2) | BGSU, Comp Science Dept
Relays maner%bgsu.edu@relay.cs.net | Bowling Green, OH 43403
maner%bgsu.edu@nsfnet-relay.ac.uk | 419/372-2337 Secretary
BITNet MANER@BGSUOPIE | 419/372-8061 Fax
------------------------------
Date: Mon, 22 Jun 92 10:07:56 +0600
From: ry15@rz.uni-karlsruhe.de
Subject: Call for Papers - EICAR Conference, December 1992
CALL FOR PAPERS
3rd annual EICAR - Conference
December 7th-9th, 1992 in Munich Germany
EICAR (European Institute for Computer Anti-Virus Research) will hold its
1992 conference on computer viruses and related threats to information
technology. The conference will be held in the Park-Hilton Hotel in Munich.
Dates: draft paper deadline: September 11th 1992
notification of acceptance: October 4th 1992
final paper: October 25th 1992
conference: December 7th-9th 1992
General Chair: Dr. Paul Langemeyer, Siemens Nixdorf International AG
Program Chair: Christoph Fischer, University of Karlsruhe
Scope: The conference addresses the malicious software aspect of
IT-security. The first day is an optional tutorial
seminar on computer viruses and similar software threats.
The second day will carry tracks covering retrospective
and state-of-the-art information. The theme of the third day
is future trends. The conference will end with a panel
discussion.
Topics: * virus trends * anti-virus technology
* testing antivirus software * virus naming
* network security * system security
* backup measures * risk assessment
* corporate strategies * disaster recovery plans
* malware incident handling * international cooperations
* case studies * educational tasks
* impact on technology * epidemiology
* forensic procedures * legal aspects
* social implications * ethics
Conference Format:
Introductory day (optional):
December 7th Tutorial Seminar
Main Conference: Two tracks (technical and non-technical)
December 8th retrospective and state-of-the-art papers
December 9th future trends papers
Panel Discussion
Submission: Submissions should be received by the program committee no
later than September 11th 1992. After the formal peer review
procedure the submitters will be notified by the program
committee October 4th. Final papers are due by October 25th.
Abstracts should be no longer than 1500 words (5 double spaced
pages) and can be sent in as paper, e-mail, ascii file on
PC disk, or FAX.
Final paper: The final version of the paper should be either an ascii-file
or a LaTeX file. Graphics (photos only if absolutely necessary)
should be on separate sheets in high quality or as LaTeX,
Postscript, HP-PCL (Laserprinter) or HP-GL file.
Slides and overheads must be included as a b&w reproduction.
Each author or the presenting author of groups must send in
a short biography and a passport type photograph.
Addresses:
EICAR Office: EICAR !
c/o Siemens Nixdorf AG !
Dr. Ing. Paul Langemeyer !
Otto-Hahn-Ring 6 !
D-8000 Muenchen ! (+49) 89 636 82 660 (voice)
Germany ! (+49) 89 636 82 824 (FAX)
Program Committee: University of Karlsruhe !
(submissions) Rechenzentrum !
Micro-BIT Virus Center !
Christoph Fischer !
Zirkel 2 ! (+49) 721 37 64 22 (voice)
D-7500 Karlsruhe 1 ! (+49) 721 32 55 0 (FAX)
Germany ! ry15@rz.uni-karlsruhe.de
------------------------------
End of VIRUS-L Digest [Volume 5 Issue 119]
******************************************
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Macyour he, of
Mac
Downloaded From P-80 International Information Systems 304-744-2253
