home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Big Blue Disk 27
/
bbd27.zip
/
FSP.TXT
< prev
next >
Wrap
Text File
|
1988-10-24
|
74KB
|
2,047 lines
FLU_SHOT+, Version 1.4
A Form of Protection from
Viral and Trojan Programs
by
Ross M. Greenberg
and
Software Concepts Design
594 Third Avenue
New York, New York 10016
BBS:(212)-889-6438 1200|2400|N/8/1
FLUSHOT+ is a trademark of Software Concepts Design.
Copyright (C), 1988 by Software Concepts Design.
All Rights Reserved.
Not for Commercial Distribution without written permission by the
copyright holder. Noncommercial copying of this software and this
documentation is encouraged. Commercial Distribution is easily
defined: if you distribute this software, or the enclosed
documentation, for more than your cost of such distribution, then
you're a Commercial Distributor and require our written
permission. Not-for-profit organizations and computer user
groups, and their bulletin board systems (if any) are
specifically *not* considered commercial distributors.
By your using this software, you agree to the terms herein.
Specifically, that you do not have the right to copy this
software except as outlined above, and that you are granted a
license to use this software only by registering this software as
mentioned elsewhere in this document. (Legitimate subscribers to
the Big Blue Disk magazine may have a separate agreement allowing
them to use this code without registering, but the other terms of
this agreement are still to be agreed to before you can use the
program)
You also agree, and signify that agreement by using this
software, that Software Concepts Design and Ross M. Greenberg
will not be held liable for any reason for any cost you may
incur, or any potential income you might lose as a result of
using this software. Finally, this software is provided "AS IS",
meaning that what you see is what you get. If you use this
software and a tree falls on your house, or your spouse leaves
you for someone younger and more virile, please do not bother
having your lawyer call -- it isn't the fault of the software, no
matter what the lawyer tries to convince you!
Table of Contents
I. Introduction
a. What is a Trojan.....................................1
b. What is a Virus......................................4
c. The Challenge to the Worm............................6
II. About the FLUSHOT Series
a. A Brief History......................................8
b. FLU_SHOT+ Features and Enhancements..................9
c. Registering FLU_SHOT+................................10
d. Site Licensing of FLU_SHOT+..........................10
III. Using FLU_SHOT+
a. The FLUSHOT.DAT file.................................11
1. Protecting files from Write Access..............12
2. Protecting files from Read Access...............12
3. Excluding files.................................12
4. Checksumming files..............................13
5. Registering a TSR program.......................14
6. Protecting the FLUSHOT.DAT file.................14
7. Protection Recommendations......................15
8. Allowing "dangerous" programs to run............15
b. Running FLU_SHOT+....................................16
1. Checking CMOS - How often?......................16
2. Checksumming the in-memory table................16
3. Intercepting Direct Disk Writes Through INT13...17
4. What about INT26................................17
5. Turning off the header message..................17
6. Allowing trusted TSR's to work..................17
7. Disabling FLU_SHOT+.............................17
8. Disabling FLU_SHOT+ Toggle Display..............18
9. Forcing FLU_SHOT+ to only use the BIOS..........18
10. Putting FLU_SHOT+ to sleep when run.............18
IV. Interpreting a FLU_SHOT+ Trigger..........................19
V. How Good is FLUSHOT+, Really?.............................24
VI. Reward Offered............................................26
Introduction
What is a Trojan?
=================
Back in the good old days (before there were computers), there
was this bunch of soldiers who had no chance of beating a
superior force or of even making it into their fortress. They
had this nifty idea: present the other side with a gift. Once
the gift had been accepted, soldiers hiding within the gift would
sneak out and overtake the enemy from within.
We can only think of the intellectual giants of the day who would
accept a gift large enough to house enemy soldiers without
checking its contents. Obviously, they had little opportunity to
watch old WWII movies to see the same device used over and over
again. They probably wouldn't have appreciated Hogan's Heroes
anyway. No color TV's -- or at least not ones with reliable
reception.
Consider the types of people who would be thrilled at the concept
of owning their own rough hewn, large wooden horse! Perhaps they
wanted to be the first one on their block, or something silly
like that.
Anyway, you're all aware of the story of The Trojan Horse.
Bringing ourselves a bit closer to the reality we've all grown to
know and love, there's a modern day equivalent: getting a gift
from your BBS or user group which contains a little gem which
will attack your hard disk, destroying whatever data it contains.
In order to understand how a potentially useful program can cause
such damage when corrupted by some misguided soul, it's useful to
understand how your disk works, and how absurdly easy it is to
cause damage to the data contained thereon. So, a brief
technical discussion of the operation of your disk is in order.
For those who aren't concerned, turn the page or something.
Data is preserved on a disk in a variety of different physical
ways having to do with how the data is encoding in the actual
recording of that data. The actual *structure* of that data,
however, is the same between MS-DOS machines. Other operating
systems have a different structure, but that doesn't concern us
now.
Each disk has a number of "tracks". These are sometimes called
cylinders from the old type IBMer's. These are the same people
who call hard disks DASDs (Direct Access Storage Devices), so we
can safely ignore their techno-speak, and just call them tracks.
Tracks can be thought of as the individual little grooves on an
audio record, sort of.
Anyway, each track is subdivided into a number of sectors. Each
track has the same number of sectors. Tracks are numbered, as
1
are sectors. Any given area on the disk can be accessed if a
request is made to read or write data into or out of Track-X,
Sector Y. The read or write command is given to the disk
controller, which is an interface between the computer itself and
the hard disk. The controller figures out what commands to send
to the hard disk, the hard disk responds and the data is read or
written as directed.
The first track on the hard disk typically will contain a small
program which is read from the hard disk and executed when you
first power up your machine. The power up sequence is called
"booting" your machine, and therefore the first track is typical
known as the "boot track".
In order to read information from your disk in a logical
sequence, there has to be some sort of index. An unusual index
method was selected for MS-DOS. Imagine going to the card index
in a library, looking up the title you desire, and getting a
place in another index which tells you where on the racks where
the book is stored. Now, when you read the book, you discover
that only the first chapter of the book is there. In order to
find the next chapter of the book, you have to go back to that
middle index, which tells you where the next chapter is stored.
This process continues until you get to the end of the book.
Sounds pretty convoluted, right? You bet! However, this is
pretty much how MS-DOS does its "cataloguing" of files.
The directory structure of MS-DOS allows for you to look up an
item called the "first cluster". A cluster represents a set of
contiguous ("touching or in contact" according to Random House)
tracks and sectors. It is the smallest amount of information
which the file structure of MS-DOS knows how to read or write.
Based on the first cluster number as stored in the directory, the
first portion of a file can be read. When the information
contained therein is exhausted, MS-DOS goes to that secondary
index for a pointer to the next cluster. That index is called
the File Allocation Table, commonly abbreviated to "FAT". The
FAT contains an entry for each cluster on the disk. An FAT entry
can have a few values: ones which indicate that the cluster is
unused, another which indicates that the associated cluster has
been damaged somehow and that it should be marked as a "bad
cluster", and a pointer to the next cluster for a given file.
This allows for what is called a linked list: once you start
looking up clusters associated with a given file, each FAT entry
tells you what the next cluster is. At the end of the linked
list is a special indicator which indicates that there are no
more clusters associated with the file.
There are actually two copies of the FAT stored on your disk, but
no one really knows what the second copy was intended for.
Often, if the first copy of the FAT is corrupted for some reason,
a clever programmer could recover information from the second
copy to restore to the primary FAT. These clever programmers can
2
be called "hackers", and should not be confused with the thieves
who break into computer systems and steal things, or the "worms"
[Joanne Dow gets credit for *that* phrase!] who would get joy out
of causing you heartache!
But that heartache is exactly what can happen if the directory
(which contains the pointer to the first cluster a file uses),
the FAT (which contains that linked list to other areas on the
disk which the file uses), or other areas of the disk get
corrupted.
And that's what the little worms who create Trojan programs do:
they cause what at first appears to be a useful program to
eventually corrupt the important parts of your disk. This can be
as simple as changing a few bytes of data, or can include wiping
entire tracks clean.
Not all programs which write to your hard disk are bad ones,
obviously. Your word processor, spreadsheet, database and
utility programs have to write to the hard disk. Some of the DOS
programs (such as FORMAT), if used improperly, can also erase
portions of your hard disk causing you massive amounts of grief.
You'd be surprised what damage the simple "DEL" command can do
with just a simple typo.
But, what defines a Trojan program is its delivery mechanism: the
fact that you're running something you didn't expect. Typical
Trojan programs cause damage to your data, and were designed to
do so by the worms who writhe in delight at causing this damage.
May they rot in hell -- a mind is a terrible thing to waste!
Considering the personality required to cause such damage, you
can rest assured that they have few friends, and even their
mother doesn't like to be in the same room with them. They sit
back and chortle about the damage they do with a few other lowly
worms. This is their entire social universe. You should pity
them. I know that I do.
3
Introduction
What is a Virus?
================
Trojan programs are but a delivery mechanism, as stated above.
They can be implemented in a clever manner, so that they only
trigger the malicious part on a certain date, when your disk
contains certain information or whatever. However they're coded,
though, they typically affect the disk only in a destructive
manner once triggered.
A new breed of programs has the capability of not only reserving
malicious damage for a given event's occurrence, but of also
replicating itself as well.
This is what people refer to when they mention the term "Virus
Program".
Typically, a virus will spread itself by replicating a portion of
itself onto another program. Later, when that normally safe
program is run it will, in part, execute a set of instructions
which will infect other programs and then potentially, trigger
the Trojan portion of the program contained within the virus.
The danger of the virus program is twofold. First, it contains a
Trojan which will cause damage to your hard disk. The second
danger is the reason why everyone is busy building bomb shelters.
This danger is that the virus program will infect other programs
and they in turn will infect other programs and so forth.
Since it can also infect programs on your floppy disks, you could
unknowingly infect other machines! Pretty dangerous stuff,
alright!
Kenneth van Wyck, one of the computer folks over at Lehigh
University, first brought a particular virus to the attention of
the computer community. This virus infects a program, which
every MS-DOS computer must have, called COMMAND.COM. This is the
Command Line Interpreter and is the interface between your
keyboard and the MS-DOS operating system itself. Whatever you
type at the C> prompt will be interpreted by it.
Well, the virus subverts this intended function, causing the
infection of neighboring COMMAND.COMs before continuing with
normal functionality of the command you typed. After a certain
number of "infections", the Trojan aspect of the program goes
off, causing you to lose data.
The programmer was clever. But still a worm. And still
deserving of contempt instead of respect. Think of what good
purposes the programmer could have put his or her talents to
instead of creating this damage. And consider what this
programmer must do, in covering up what they've done. They
certainly can't tell anyone what they've accomplished.
Justifiable homicide comes to mind, but since the worms they must
4
hang around are probably as disreputable as they are, they must
hold their little creation a secret.
A pity. Hopefully, the worm is losing sleep. Or getting a sore
neck looking behind them wondering which of their "friends" are
gonna turn them in for the reward I list towards the end of this
document.
5
Introduction
The Challenge to the Worm
=========================
When I first released a program to try to thwart their demented
little efforts, I published this letter in the archive (still in
the FLU_SHOT+ archive of which this is a part of). What I say in
it still holds:
As for the designer of the virus program: most
likely an impotent adolescent, incapable of
normal social relationships, and attempting to
prove their own worth to themselves through
these type of terrorist attacks.
Never succeeding in that task (or in any
other), since they have no worth, they will
one day take a look at themselves and what
they've done in their past, and kill
themselves in disgust. This is a Good Thing,
since it saves the taxpayers' money which
normally would be wasted on therapy and
treatment of this miscreant.
If they *really* want a challenge, they'll try
to destroy *my* hard disk on my BBS, instead
of the disk of some innocent person. I
challenge them to upload a virus or other
Trojan horse to my BBS that I can't disarm.
It is doubtful the challenge will be taken:
the profile of such a person prohibits them
from attacking those who can fight back.
Alas, having a go with this lowlife would be
amusing for the five minutes it takes to
disarm whatever they invent.
Go ahead, you good-for-nothing little
slimebucket: make *my* day!
Alas, somebody out there opted to do the cowardly thing and to
use the FLUSHOT programs as a vehicle for wrecking still more
destruction on people like you. The FLUSHOT3 program was
redistributed along with a companion program to aid you in
reading the documentation. It was renamed FLUSHOT4. And the
reader program was turned into a Trojan itself.
I guess the programmer involved was too cowardly to take me up on
my offer and prefers to hurt people not capable of fighting back.
I should have known that, I suppose, but I don't normally think
of people who attack innocents. Normally, I think of people to
respect, not people to pity, certainly not people who must cause
such damage in order to "get off".
6
They are below contempt, obviously, and can do little to help
themselves out of the mire they live in.
Still, a worm is a worm.
7
About FLUSHOT
A Brief History
===============
The original incarnation of FLU_SHOT was a quick hack done in my
spare time. It had a couple of bugs in it which caused it to
trigger when it shouldn't, and a few conditions which I had to
fix. A strangeness in how COMMAND.COM processed certain
conditions when I "failed" an operation caused people to lose
more data than they had intended -- certainly not my intent!
FLU_SHOT was modified and became FLUSHOT2. It included some
additional protections, protecting some other important system
files, and protecting against direct disk writes which can be
used to circumvent FLUSHOT's protection mechanisms.
Additionally, FLUSHOT2 forced an exit of the program currently
running instead of a fail condition when you indicated that an
operation should not be carried out.
FLUSHOT2 was also now distributed in the popular archive format
(have you remembered to send your shareware check into Phil Katz
for his efforts? You really should. It ain't that much money!).
Next came FLUSHOT3. A bug was fixed which could have caused
certain weird things when you denied direct disk I/O to certain
portions of DOS 3.x.
The enhancements to FLUSHOT3 included the ability to enter a 'G'
when FLUSHOT was triggered. This allowed FLUSHOT to become
inactive until an exit was called by the foreground task. So,
when you used some trustworthy program which did direct disk I/O,
you wouldn't be pestered with constant triggering after you enter
the 'G'. Primarily this was a quick hack to allow programs such
as the FORMAT program to run without FLUSHOT being triggered each
time it tried to do any work it was supposed to.
Additionally, a CMOS RAM check was installed. If a foreground
program attempted to change CMOS memory, you'd be advised.
What the heck is CMOS memory, you might be asking. Good
question. In AT class and better machines, certain important
parameters (such as the type of hard disk you're using, or how
much memory there is in your machine) are stored up in special
non-volatile memory, called CMOS.
If this gets changed, you might have a problem when you reboot.
FLUSHOT3 sends at least one little slimebucket back to the
drawing board, because it will restore the CMOS and prevent this
hassle from occurring.
8
About FLUSHOT
FLU_SHOT+ Features and Enhancements
===================================
This release of FLU_SHOT has a new name: FLU_SHOT+. Because
FLUSHOT4 was a Trojan, I opted to change the name. Besides,
FLU_SHOT+ is the result of some real effort on my part, instead
of being a part-time quick hack. I hope the effort shows.
FLUSHOT is now table driven. That table is in a file which I
call FLUSHOT.DAT. It exists in the root directory on your C:
drive. However, I'll advise you later on how to change its
location so that a worm can't create a Trojan to modify that
file.
This file now allows you to write and/or read protect entire
classes of programs. This means that you can write protect from
damage all of your *.COM, *.EXE, *.BAT, and *.SYS files. You can
read protect all of your *.BAT files so that a nasty program can
not even determine what name you used for FLU_SHOT+ when you
invoked it!
Additionally, you can now automatically check programs when you
first invoke FLU_SHOT+ to determine if they've changed since you
last looked at them. Called checksumming, it allows you to know
immediately if one of the protected programs has been changed
when you're not looking. Additionally, this checksumming can
even take place each time you load the program for execution.
Also, FLU_SHOT+ will advise you when any program "goes TSR". TSR
stands for "Terminate and Stay Resident", allowing pop-ups and
other useful programs to be created. A worm could create a
program which leaves a bit of slime behind. Programs like
Borland's SideKick program, a wonderful program and certainly not
a Trojan or virus, is probably the best known TSR. FLU_SHOT+
will advise you if any program attempts to go TSR which you
haven't already registered in your FLUSHOT.DAT file.
Finally, FLU_SHOT+ will also now pop-up a little window in the
middle of your screen when it gets triggered. It also will more
fully explain why it was triggered. The pop-up window means that
your screen won't get screwed up beyond recognition -- unless
you're in graphics mode when it pops up. Sorry, 'dems the
breaks!
9
About FLUSHOT
Registering FLU_SHOT+
=====================
FLU_SHOT+ is not a free program. You're encouraged to use it, to
distribute it to your friends and co-workers. If you end up not
using it for some reason, let me know why and I'll see if I can
do something about it in the next release.
But, the right to use FLU_SHOT+ is contingent upon you paying for
the right to use it. I ask for ten dollars as a registration
fee, plus a four dollar shipping and handling fee. This entitles
you to get the next update shipped to when available. And allows
you to pay me, in part, for my labor in creating the entire
FLU_SHOT series. I don't expect to get my normal consulting rate
or to get a return equal to that of other programs which I've
developed and sell through more traditional channels. That's not
my intent, or I would have made FLU_SHOT+ a commercial program
and you'd be paying lots more money for it.
Some people are uncomfortable with the shareware concept, or
believe that there ain't no such thing as Trojan or Virus
programs, and that a person who profits from the distribution of
a program such as FLU_SHOT must be in it for the money.
I've created an alternative for these folks. I'll call it
"charityware" [first called that, to my knowledge, by Roedy
Green]. You can also register FLU_SHOT+ by sending me a check
for $10 made out to your favorite charity. Be sure to include a
stamped and addressed envelope. I'll forward the monies onto
them and register you fully.
Of course, if you wish, you can send me a check for more than
$10. I'll cash it gladly (I'm no fool!).
[Subscribers of the Big Blue Disk are still encouraged to
register this program, although a special arrangement with Big
Blue allows them to distribute this program without requiring
that subscribers of the program register it. However, if you
don't register it diorectly with us, you won't be entitled to any
technical support from us, nor will you be advised of future
releases. For more information, contact Big Blue directly.
They're pretty reasonable folks and can provide you with very
good technical support.]
Site Licensing of FLU_SHOT+
===========================
So, you run the computer department of a big corporation, you got
a copy of FLU_SHOT+, decided it was wonderful and that it did
everything you wanted and sent in your ten bucks. Then you
distributed it to your 1000 users.
10
Not what is intended by the shareware scheme. *Each* site using
FLU_SHOT+ should be registered. That's ten bucks a site, me
bucko! Again, make the check out to charity if you're
uncomfortable with the idea of a programmer actually deriving an
income from their work.
However, if you've really got 1000 computers, you should give me
a call. As much as I'd like to get $10 for each site, that
wouldn't be fair to you. So, quantity discounts are available.
Shipping and Handling
=====================
Each order for FLU_SHOT+ must also include a $4 shipping and
handling charge. Sorry, but the economics don't allow me not to.
11
Using FLU_SHOT+
The FLUSHOT.DAT file
====================
FLU_SHOT+ is table driven by the contents of the FLUSHOT.DAT
file. This file normally exists in the root directory of your C:
drive (C:\FLUSHOT.DAT).
A little later in this document you'll see how to disguise the
data file name, making life tougher for the worms out there. But
for the purposes of this document, we'll assume that the file is
called C:\FLUSHOT.DAT.
The FLU_SHOT+ program will read this data file exactly once. It
reads the data from the data file into memory and overwrites the
name of the data file in so doing. A little extra protection in
hiding the name of the file.
This data file contains a number of lines of text. Each line of
text is of the form:
<Command>=<filename><options>
Command can be any one of the following characters:
P - Write Protect the file named
R - Read Protect the file named
E - Exclude the file named from matching P or R lines
T - The named file is a legitimate TSR
C - Perform checksum operations on the file named
The filename can be an ambiguous file if you wish for all
commands except the 'T' and 'C' commands. This means that:
C:\level1\*.COM
will specify all COM files on your C: drive in the level1
directory (or its sub-directories). Specifying:
C:\level1\*\*.EXE
would specify all EXE files in subdirectories under the C:\level1
directory, but would not include that directory itself.
You can also use the '?' operator to specify ambiguous characters
as in:
?:\usr\bin\?.COM
would be used to specify files on any drive in the \usr\bin
directory on that drive. The files would have to be single
letter filenames with the extension of 'COM'.
Ambiguous file names are not allowed for the 'T' and 'C' options.
12
Using FLU_SHOT+
Protecting files from Write Access
==================================
Use the 'P=' option to protect files from write access. To
disallow writes to any of your COM, EXE, SYS, and BAT files,
specify lines of the form:
P=*.COM
P=*.EXE
P=*.SYS
P=*.BAT
which protects these files on any disk, in any directory.
Protecting files from Read Access
=================================
Similarly, you can use the 'R' command to protect files from
being read by a program (including the ability to 'TYPE' a
file!). To prevent read access to all of your BAT files, use a
line such as:
R=*.BAT
Combinations of R and P lines are allowed, so the combination of
the above lines would prevent read or write access to all batch
files.
Excluding files
===============
Programmers in particular should find usage for the 'E' command.
This allows you to exclude matching filenames from other match
operations. Assume you're doing development work in the
C:\develop directory.
You could exclude FLU_SHOT+ from being triggered by including a
line such as:
E=C:\develop\*.*
Of course, you might have development work on many disks under a
directory of that name. If you do, you might include a line
which looks like:
E=?:\develop\*.*
or
E=*\develop*
13
Checksumming files
==================
This line is a little more complicated than others and involves
some setup work. It's worth it though!
A checksum is a method used to reduce a files validity into a
single number. Adding up the values of the bytes which make up
the file would be a simple checksum method. Doing more complex
mathematics allows for more and more checking information to be
included in a test.
If you use a lie on the form:
C=C:\COMMAND.COM[12345]
then when FLU_SHOT+ first loads it will check the validity of the
file against the number in the square brackets. If the checksum
calculated does not match the number presented, you'll be advised
with a triggering of FLUSHOT, which presents the correct
checksum.
When you first set up your FLUSHOT.DAT file, use a dummy number
such as '12345' for each of the files you wish to checksum.
Then, when you run FLUSHOT, you should copy down the "erroneous"
checksum presented. Then, edit the FLUSHOT.DAT file and replace
the dummy number with the actual checksum value you had copied
down. Voila! If even one byte in the is changed, you'll be
advised the next time you run FLU_SHOT+.
But wait! There's more! Not available in stores!
Sorry. I got carried away.
Seriously, there is more. When a "checksummed" file is loaded by
MS-DOS, it will, by default, be checksummed again. So, if you
had a line such as:
C=C:\usr\bin\WS.COM[12345]
the venerable old WordStar program (still *my* editor of choice!)
would be checksummed each time you went to edit a file.
Of course, you might not want the overhead of that checksumming
to take place each time you load a program. Therefore, a few
switches have been added. The switches are place immediately
after the ']' in the checksum line:
C=C:\usr\bin\WS.COM[12345]<switch>
These switches are:
,n - will only checksum the file only 'n' times. Only
one digit allowed.
14
- - Only checksum this file when FLU_SHOT+ first
loads. ',1' and '-' are equivalent.
+ - Only checksum this file when it is loaded and
executed, not when FLU_SHOT+ first loads
Therefore, if you wished to only check your WS.COM file when you
first loaded the FLU_SHOT+ program, you'd specify a line as:
C=C:\usr\bin\ws.com[12345],1
or
C=C:\usr\bin\ws.com[12345]-
If you wished to checksum your program called "MY_PROG.EXE" only
when it was used, try:
C=C:\path\MY_PROG.EXE+
Registering a TSR program
=========================
Any unregistered TSR program which is run after FLU_SHOT+ will
cause a trigger when they "go TSR". You can register a program
so no trigger goes off by specifying it in a line such as:
T=C:\usr\bin\tsr_s\sk.com
which will keep FLU_SHOT+ from complaining about sk.com. Make
sure to take a look at the '-T' option, specified in the next
section.
Protecting the FLUSHOT.DAT file
===============================
Obviously, the weak link in the chain of the protection which
FLU_SHOT+ offers you is the FLUSHOT.DAT file.
You would think that you'd want to protect the FLUSHOT.DAT file
from reads and writes as specified above. However this, too,
leaves a gaping security hole: memory could be searched for it,
and it could be located that way. A better alternative exists.
In the distribution package for FLUSHOT+ exists a program called
FLU_POKE.COM. This program allows you to specify the new name
you wish to call the FLUSHOT.DAT file. Simply type:
FLU_POKE <flushot_name>
where <flushot_name> represents the full path filename of your
copy of FLU_SHOT+.
You'll be prompted for the name of the FLUSHOT.DAT file. Enter
the name you've selected (remember to specify the disk and
15
directory as part of the name). Voila! Nothing could be easier.
Protection Recommendations
==========================
Here's a sample FLUSHOT.DAT file, basically the same one included
in the archive. Your actual checksums will differ, and you may
want to modify what files and directories are protected.
Obviously, your exact needs are different than mine, so consider
this a generic FLUSHOT.DAT:
P=*.bat
P=*.sys
P=*.exe
P=*.com
R=*AUTOEXEC.BAT
R=*CONFIG.SYS
E=?\dev\*
C=C:\COMMAND.COM[12345]-
C=C:\IBMBIO.COM[12345]-
C=C:\IBMDOS.COM[12345]-
Allowing "dangerous" programs to run
====================================
In some cases, though, you'll still want the ability to ler
"trusted" programs to run -- even if they are potentially
dangerous. A good example of this is the DOS FORMAT program:
here is a program specifically designed to overwrite the data on
your disk in such a way that it would be difficult, at best, to
recover. Yet, the program is a necessary part of your day-to-day
computer usage.
Therefore, the 'X=' switch has been added in to allow a program
such as FORMAT to run without interruption. THIS IS A POTENTIAL
SECURITY HOLE. To prevent an 'X=' program from being corrupted,
I suggest you also include any 'X=' program as both a 'C=' and a
'P=' program as well: any writes to the file would cause
FLU_SHOT to trigger, and you wouldn't be able to run a modified
program without first giving FLU_SHOT permission. Use 'X='
sparingly. I'm rather uncomfortable with it myself.
16
Invoking FLU_SHOT+
Running FLUSHOT+
================
For extra protection, after you've run FLU_POKE, you should
rename the FLU_SHOT+ program is something unique and meaningful
to you, but not a worm.
Assuming you didn't rename it, however, you could invoke the
program simply by typing:
FSP
when at the prompt. That's all there is to it. When you're
satisfied, you can add it to your AUTOEXEC.BAT file, after all of
your trusted programs have run.
But there are some options you should know about:
Checking CMOS - How often?
==========================
The CMOS, as described earlier in this document, is a spot
wherein a worm can just make things a bit miserable for you when
you next boot your system. However, FLU_SHOT+ allows you to
protect the contents of your CMOS against such a worm.
*CMOS Only exists on AT class and better machines!!!*
You must specify the '-C' option when you invoke the FLU_SHOT+
program in order to have your CMOS safeguarded. There is a check
done whenever DOS is accessed to determine if the CMOS has
changed. This causes a slight performance penalty. CMOS is
checked on a regular basis -- a reasonable trade-off between the
utility of the CMOS check and the annoyance of a slight
performance degradation. The default is set to one second. You
may modify that default, if you wish, by using the '-In' option,
where the 'n' represents how frequently, in seconds you wish to
have CMOS checked.
Checksumming the in-memory table
================================
Since the wily worm may well be able to thwart some of the
efforts of FLU_SHOT+ by playing nasty games with the in-memory
copy of the FLUSHOT.DAT file, FLU_SHOT+ will also check this
table against a checksum it generates on a regular basis. If the
table gets corrupted, you'll be advised of it. This table is
checked with the same frequency as the CMOS is checked, and this
frequency can, therefore, be changed with the '-In' option as
well.
17
Intercepting Direct Disk Writes Through INT13
=============================================
The default operation of FLU_SHOT+ is to intercept and examine
every call to the direct disk routines. You can *disable* this
by including the '-F' switch on your command line:
FSP -F
This is not recommended, but exists primarily for developers who
can't use the constant triggering one of their programs may
cause.
What about INT26
================
Similarly, the same exists for the direct writes which normally
are only made by DOS through interrupt 26. Again, I do not
recommend you disable the checking, but if you desire to do so,
use the '-D' switch.
Turning off the header message
==============================
If you've no desire to see the rather lengthy welcome message
which is displayed when you first use FLU_SHOT+, use the '-h'
switch.
Allowing Trusted TSR's to Work
==============================
Normally, you'd load all of your trusted TSR's before FLUSHOT+ is
loaded from within your AUTOEXEC.BAT file. However, you might
want to use SideKick once in a while, removing it from memory as
you desire. This could cause some problems, since SideKick, and
programs like it, take over certain interrupts, and FLU_SHOT+
could get confused about whether this is a valid call or a call
that shouldn't be allowed. Normally, FLU_SHOT+ will trigger on
these calls, which is safer, but can be annoying. If you use the
special '-T' switch upon program invocation, then calls which
trusted TSR's (those specified with the 'T=' command in your
FLUSHOT.DAT file) make will be allowed. Understand, please, that
this basically means that calls made by a Trojan while a trusted
TSR is loaded may not be caught. Please, use this switch with
caution!
Disabling FLU_SHOT+
===================
There may be times when you're about to do some work which you
know will trigger FLU_SHOT+. And you might not want to be
bothered with all of the triggering, the pop-up windows and your
need to respond to each trigger. If you look in the upper right
hand corner of your screen, you'll see a '+' sign. This
indicates that FLU_SHOT+ is monitoring and attempting to protect
your system. Depress the ALT key three times. Notice that the
'+' sign' turned into a '-'? Well, FLU_SHOT+ is now disabled,
18
and will not trigger on any event. If you depress the ALT key
three more times, you'll see the '-' turn back into a '+' -- each
time you depress the ALT key three times, FLU_SHOT+ will toggle
between being enabled and disabled.
Disabling FLU_SHOT+ Toggle Display
==================================
Alas, there are graphics applications which will be screwed up be
the '-' or '+' in the upper right hand corner of your display.
Therefore, if you depress the CTRL key three times, you'll be
able to toggle the display capability of FLU_SHOT+. The default
configuration of FLU_SHOT+ is to "come up" with display turned
on. You can reverse this capability if you include the '-G' (for
graphics) switch on your command line when you run FLU_SHOT+.
Forcing FLU_SHOT+ to only use the BIOS
======================================
Certain machines are not totally compatible with the IBM BIOS,
which is the BIOS for which FLU_SHOT+ was written. Because
FLU_SHOT has to be able to deal with the hardware in a pretty
direct manner in order to "pop-up" a screen, these machines were
not able to use FLU_SHOT. If you specify the '-B' switch in your
command line when you first run FLU_SHOT+, then only the BIOS
will be used for screen output. This is *drastically* slower
than direct screen memory writes (the method used unless you
specify to use the BIOS), but at least it works.
Putting FLU_SHOT+ to sleep when run
===================================
One of the idiosyncrasies of DOS is how a batch file is
processed. Basically, DOS opens the batch file, reads the next
command, closes the batch file, executes the command, and then
starts over again until the batch file is exhausted of commands.
This would, normally, not be a problem, but can become when you
opt to place the FLU_SHOT command line in your AUTOEXEC.BAT file
*and* you've opted to Read Protect (with the 'R=' option) the
AUTOEXEC file itself: you'll be advised that some program is
reading this protected file. Not a big deal, really, but
certainly a hassle when you fist boot up your system. Therefore,
protections within FLU_SHOT are not turned on a certain amount of
time. The default is set to ten seconds, or until you enter a
key. You can modify the default "sleep" time by entering a '-Sn'
option on the command line, where 'n' represents the number of
eighteenths of a second (1/18) you wish to have FLU_SHOT+ sleep
before becoming active. Since you will most likely have
FLU_SHOT+ as one of the final commands in your AUTOEXEC.BAT, you
probably won't have to modify this parameter, but the capability
exists, nonetheless.
19
Interpreting a FLU_SHOT+ Trigger
================================
So, you've run FLU_SHOT+, and you're at your C> prompt. Great!
Now stick a blank disk which you don't care about into your A:
drive and try to format it.
Surprise! FLU_SHOT+ caught the attempt! You have three choices
now: typing 'Y' allows the operation to continue, but the next
one will be caught as well. Typing a 'G' (for Go!) allows the
operation to continue, disabling FLU_SHOT+ until an exit from the
program is made. When FLU_SHOT+ is in the 'G' state, a 'G' will
appear in the upper right hand corner of your screen.
Any other key will cause a failure of the operation to occur.
When you've got FLU_SHOT+ running and you get signaled that there
is a problem, you should think about what might have caused the
problem. Some programs, like FORMAT, or the Norton Utilities or
PC-Tools, or DREP have very good reasons for doing direct reads
and writes to your hard disk. However, a public domain checkbook
accounting program doesn't. You'll have to be the judge of what
are legitimate operations and which are questionable.
There is no reason to write to IBMBIO or IBMDOS, right?
Wrong!
When you format a disk with the '/S' option, those files are
created on the target diskette. The act of creating, opening up
and writing those files will trigger FLU_SHOT+ as part of its
expected operation. There are many other legitimate operations
which may cause FLU_SHOT+ to trigger.
So will copying a COM or EXE file if you have those protected
with a 'P=' command. FLU_SHOT+ is not particularly intelligent
about what is allowed and what isn't. That's where you, the
pilot, get to decide.
Here's a fuller listing of the messages which you might see when
you're using FLU_SHOT+:
Checking ===><filename>
This message is displayed as FLU_SHOT+ checks the checksum on all
of the "C=" files when you first invoke FLU_SHOT+. The files
must be read in from disk, their checksum calculated and then
compared against the value you claim the checksum should equal.
20
If the checksum does *not* equal what you claim it should (which
means that the file may have been written to and might therefore
be suspect), a window will pop up in the middle of your screen:
+===============================================================+
| Bad Checksum on <filename> |
| Actual Checksum is: <checksum> |
|Press "Y" to allow, "G" to go till exit, any other key to exit.|
+===============================================================+
This message simultaneously advises you there is a problem with
the checksums not matching, shows you what the checksum should be
and then awaits your response.
Except for the initial run of FLU_SHOT+, if you type a 'Y' or a
'G', then the program will load and execute. Typing any other
key will cause the program to abort and for you to be returned to
the C> prompt. When FLU_SHOT+ is in the 'G' state, a 'G' will
appear in the upper right hand corner of your screen.
If this is the initial run of FLU_SHOT+, however, you'll be
advised of the program's actual checksum, but FLU_SHOT+ will
continue to run, checking all remaining "C=" files in the
FLUSHOT.DAT file.
If you're running a program and you see a screen like:
+================================================================+
| ? WARNING! TSR Request from an unregistered program! |
|Number of paragraphs of memory requested (in decimal) are:<cnt>|
| (Press any key to continue) |
+================================================================+
you're being advised that a program is about to go TSR. If this
is a program you trust (such as SideKick, of KBHIT, or a host of
other TSR programs you've grown to know and love), then you
should considering installing a "T=" line in the FLUSHOT.DAT file
so that future runs of this program will not trigger FLU_SHOT+.
However, if you get this message when running a program you don't
think has any need to go TSR (such as the proverbial checkbook
balancing program), you should be a little suspicious. Having a
TSR program is not, in of and of itself, something to be
suspicious of. But having one you don't expect --- well, that's
a different story.
Most TSR's "hook into" an interrupt vector before they go TSR.
These hooks might intercept and process key strokes ("hotkeys"),
or they might hook and intercept direct disk writes themselves.
In any event, FLU_SHOT+ (in this version!) doesn't have the
smarts to do more than advise you of the TSR'ing of the program.
If you're truly suspicious, reboot your machine immediately!
21
If a program attempts to write directly to the interrupts which
are reserved for disk writes, FLU_SHOT+ will also be triggered
and you'll see something like:
+===============================================================+
|====>Direct Disk Write attempt by program other than DOS! <====|
| (From Interrupt <xx>) |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
where the <xx> represents either a 13 (indicating a direct BIOS
write to the disk) or a 26 (indicating a direct DOS write).
Again, pressing a 'Y' or a 'G' allows the operation to continue,
pressing any other key will cause the operation to return a
failed status to DOS, and the operation will not take place. When
FLU_SHOT+ is in the 'G' state, a 'G' will appear in the upper
right hand corner of your screen.
If an attempt is made to format your disk, which may be a
legitimate operation made by the DOS FORMAT program, you'll see a
message such as:
+===============================================================+
| ====>Disk being formatted! Are You Sure?<==== |
| |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
which follows similarly to the direct disk write operations. You
should question whether the format operation is appropriate at
the time and take whatever action you think is best.
If one of your protected files is about to be written to, you'll
see a message like:
+===============================================================+
|Write access being attempted on: |
| <filename> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
where <filename> represents the file you're trying to protect
from these write operations. Your red flag should fly, and you
should question why the program currently running should cause
such an operation.
22
You may also see the same type of message when one of your "Read-
Protected" files is being accessed:
+===============================================================+
|Read Access being attempted on: |
| <filename> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
Again, the same red flag should fly, but it doesn't mean that
you're infected with some nasty virus program! It could be
something harmless or intended. You'll have to be the judge.
+===============================================================+
|Open File with Write access being attempted on: |
| <filename> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
If you see the above message: Don't Panic! When a program opens
a file, it may open the file for different types of access. One
access method prohibits writing to the file. Another allows you
to write to the file. However, lazy programmers (myself included
in this category from time to time) will often open a file for
read *and* write access, even though they have no intention of
ever doing a write into the file. FLU_SHOT+ isn;t smart enough
to be able to figure out what a program *might* do in the future,
so it will alert you to an attempt to open the indicated
protected file with write access allowed. Again, you'll have to
consider whether the program opening the file is a "trusted"
program or not and you'll have to then decide what action to
take.
There are three separate messages you'll see if a program
attempts to rename a protected file (you'll only see one of these
messages at a time, though):
+===============================================================+
|FCB Rename being attempted on source file: |
|FCB Rename being attempted on target file: |
|Handle Rename being attempted on: |
| <filename> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
This indicates what type of operation is attempting to rename a
protected file. FCB's are a relic of the older CP/M days, and
"handles" are a newer concept, a little more modern. In any
event, this tells you that a file is being renamed. It is
possible that a trojan or virus writer will attempt to rename an
existing protected file to some other name, then rename a
trojaned or virused program in its stead. FLU_SHOT will alert yu
to this action: again, though, you'll have to decide what to do
about it.
23
+===============================================================+
|Delete being attempted on: |
| <filename> |
|Press "Y" to allow, "G" to go till exit, any other key to fail.|
+===============================================================+
Pretty much self-evident as to what's happening here, there are
very few reasons why one of the files you've opted to protect
should be deleted.
Finally, you may see a message like:
+===============================================================+
| ====>CMOS has been changed!<==== |
| |
| Hit "Y" to continue, any other key to restore CMOS. |
+===============================================================+
which indicates that your CMOS has been changed while you weren't
looking. Or maybe you were: if you're running a setup program
which changes the date or the time, or the disk type attached to
your AT class machine, this message should pop up. Losing your
CMOS is not fatal, but can be an annoyance. If you hit a 'Y',
then the new setting of the CMOS will be stored and you'll be
able to continue, with alerts to any other change to the CMOS.
Any other key will result in the original setting of the CMOS
being restored.
24
How Good is FLUSHOT+, Really?
FLU_SHOT+ is a pretty handy piece of code. But, it can't
absolutely protect you from a worm. No software can do that.
Discussed below are some hardware devices which no worm can get
through.
There are ways around FLU_SHOT+. I'm of two minds about
discussing them, since the worms out there are reading it this,
too. So I'll only discuss them in passing. And I'll tell you
what I use here to protect myself from worms. First, though, a
little story to tell you what it's like here, and how I protect
myself from getting wormed.
The RamNet Bulletin Board System site I run is open access. No
need to register, or to leave your phone number or address,
although a note to that effect is always appreciated. As
mentioned above, I dare the worm to try to affect the disk of
somebody who can fight back. A couple of of worms have tried and
I have a nice collection of Trojans and viruses. Obviously, I
run FLU_SHOT+ on my board, along with checking incoming files
with CHK4BOMB. My procedure for testing out newly uploaded code
involves me doing a backup, installing all sorts of software to
monitor what is going on, and doing a checksum on all files on
the disk. I then try out all of the code I get, primarily to
determine if the code is of high enough quality to be posted.
After testing out all of the weeks uploads, I run the checksum
program again to determine of any of my files might have been
modified by a worm's virus program.
Recently, what looked like a decent little directory lister was
posted to the board. For some reason I've yet to fathom,
directory aid programs seem to be the ones which have the highest
percentage of Trojans attached to them.
This directory aid program listed my directories in a wonderful
tree structure, using different colors for different types of
files. Nice program. When it exited, however, it went out and
looked for a directory with the word "FLU" in it. Once it found
a directory with a match in it, it proceeded to try to erase all
of the files in that directory. An assault! No big deal. That's
what backups are for.
But it brings up an interesting point: I was attacked by a
clever worm, and it erased a bunch of files which were pretty
valuable. All of the protection I had would have been for naught
if I didn't use the first line of defense from these worms: full
and adequate backup.
I've spent three years of my life developing one particular
software package. Imagine what would have happened if that had
been erased by a worm! Fortunately, I make backups at least once
a day, and usually more frequently than that. You should, too.
Now, I quarantine that machine as well. I spent a couple of
25
dollars and bought a bunch of bright red floppy disks. The basic
rule around here is that Red Disks are the only disks that go
into the BBS machine, and the Red Disks go into no other machine.
You see, I *know* that there is some worm out there who is gonna
find some way to infect my system. No matter what software
protection I use, there *is* a way around it.
You needn't be concerned though -- you're making backups on a
regular basis, right? And, you aren't asking for trouble. I am,
I expect to find it, and it is sort of amusing to see what the
worms out there are wasting their efforts on.
At this point, Trojans and Viruses are becoming a hobby with me:
watching what the worms try to do, figuring out a way to defend
against it, and then updating the FLU_SHOT series.
However, there is a possibility that the FLU_SHOT series (as well
as other protection programs which are just as valuable) are
causing an escalation of the terms of this war. The worms out
there are sick individuals. They must enjoy causing the damage
they do. But they haven't the guts to stand up and actually do
something in person. They prefer to hide behind a mist of
anonymity.
But you have the ultimate defense! No, not the FLU_SHOT+
program.
FULL AND ADEQUATE BACKUPS!
There are a variety of very good backup programs which can save
you more work than you can imagine. I use the FASTBACK+ program,
which is a great little program. I backup 30Megs once in a
while, and do an incremental backup on a very frequent basis.
There are a variety of very good commercial, public domain, and
shareware backup programs out there. Use them! Because, no
matter what software protection you use, somebody will find a way
around it once day. But they can't find a way around your
backups. And, if you (and everyone else) do regular backups,
you'll remove the only joy in life these worms have. They'll
kill themselves, hopefully, and an entire subspecies will be
wiped out -- and you'll be partially responsible!
My advance thanks for helping to exterminate these little
slimebuckets. But that brings me to something else.
26
Reward Offered
Somebody out there knows who the worms are. Even they must have
someone who is a friend. True, I can't think of any reason
someone would befriend a worm. But somebody who doesn't know
better has.
Well, I'm offering a reward for the capture and conviction of
these worms.
Enough already with software protection schemes, hardware
protection schemes, or any protection at all. It shouldn't be
required, dammit!
Here's the deal:
In this archive is a form called REWARD.FRM. If you're a
software or hardware manufacturer, or you have some software or
hardware you don't need, consider filling out that form, and
donating it to a worthy cause. I don't know what the legal and
tax ramifications of that donation would be. I'm not a lawyer
and we can cross that bridge when we get to it.
Anyway, if you know one of these worms, turn them in! Call me
up, send me a letter, a telegram, or leave a message for me on my
BBS. Indicate who you *know* is worming about. I'll keep your
name confidential.
It is surprisingly easy to get the authorities in on this --
they're as concerned about what is happening to our community as
we are. I'll presume that they'll end up putting a data tap on
the phone line of the accused worm. Then, when he next uploads a
Trojan or a virus to a BBS, he'll get nailed. The authorities
are pretty good about this stuff: they'll not tap a phone or take
any action whatsoever without adequate proof. Will your dropping
a dime on this worm be adequate proof? I don't know. Again, a
bridge to cross when we approach it.
However, assuming that this slimeball gets nailed, you'll get all
of the software and hardware which other people have donated. And
the satisfaction of knowing that you've done a Good Thing, that
you've helped an industry and community continue to grow. This
*is* your community, and the vast majority of people in it are
good people who shouldn't have to fear from your friend. Your
friend is not really a friend: he uses you to justify his own
existence. When someone uses you like that, they're not a
friend, they're a leach. And you've probably got better things
to do then let somebody use you like that.
Most importantly, the worm out there won't know if one of his
friends has already turned him in. So he won't know if his phone
is tapped. If *I* were a worm, and considering what kind of
friends I would have, I'd be sure that somebody dropped a dime on
me. And therefore an intelligent worm (perhaps I'm giving the
worm too much credit?) must presume that their line is tapped and
27
that they're gonna go to jail if they continue what they're
doing.
So just stop, you miserable little lowlife, huh? You're going to
be arrested. You're going to have to put up with indignities
which even you don't deserve! Your equipment will be
confiscated. You'll never get a job in the industry. You're
going to go to jail.
All because one of your friend's actually has a conscience and
knows what is right and what is wrong. And what you're doing is
wrong.
So, let me get back to the kind of programming I enjoy --
productive programming. And turn your programming to useful,
interesting, and productive programming. You have the talent to
do something useful and good with your life. What you're doing
is hurting the industry and hurting the community which would
welcome someone with your talents with open arms.
And the satisfaction of helping far surpasses the satisfaction
you must get from hurting innocent people.
So just stop.
Sincerely, Ross M. Greenberg
28