2,000 Greater & Lesser Mysteries

home *** CD-ROM | disk | FTP | other *** search

/ 2,000 Greater & Lesser Mysteries / 2,000 Greater and Lesser Mysteries.iso / computer / virus / mys00508.txt < prev

Wrap

Text File | 1994-06-10 | 500.6 KB | 10,801 lines

========================================================================= Date: Mon, 1 Aug 88 01:19:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: S9RR@MCGILLB Subject: PERFECT VIRUS Just a hunch I had about that note threatening the advent of the PERFECT virus: might this be about a virus targetting the new WordPerfect 5.0? It seems to me that WP 5.0 is going to be spread around quickly and widely, furnishing a powerful vehicle for a virus. Sound plausible? ========================================================================= Date: Mon, 1 Aug 88 07:59:04 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: "Bug" in mailer? In-Reply-To: Message of Sat, 30 Jul 88 00:51:49 CST from <JFORD1@UA1VM> > Well folks, I'm not sure who to send this to, but since it was to >Loren (LKK0 at LEHIIBM1) this list seems to be as good as any. Apparently, Loren forgot what his e-mail address is when he broadcast it to this list. Loren Keim's address is <LKK0@LEHIGH.BITNET>, not ..@LEHIIBM1. LEHIIBM1 is a CMS system for staff use only here at Lehigh; Loren's account is on LEHIGH since he is not a member of the LUCC staff. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Mon, 1 Aug 88 10:08:15 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: interesting statistic In-Reply-To: Message of Fri, 29 Jul 88 17:29:00 EDT from <WWEAVER@DREW> > ... says there have already been 250,000 outbreaks. He estimates that >40 of the nation's largest industrial companies have been infected..." Gee, did everybody call? :-) --- Joe M. ========================================================================= Date: Mon, 1 Aug 88 10:17:24 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: Time Bomb Carrier Programs... In-Reply-To: Message of Sat, 30 Jul 88 18:45:27 EDT from <XRAYSROK@SBCCVM> > ... does anyone know of any viruses which are embedded in a program >and are dormant until the program is run (like a trojan horse) or >perhaps are dormant until after a certain date and the program has been >spread around? A malicious virus which does not actively spread until >after a certain date could be really dangerous couldn't it? If the >carrier program were highly desirable (except for the dormant virus), >individuals could spread the virus without knowing it, and it would be >IMPOSSIBLE to detect the dormant virus before the activation date >without actually dissecting the carrier program. Hence the virus >could be passively and undetectably distributed until some date, and >then it could begin to spread actively (and simulataneously) from all >the copies of program wherever they might be. And it would be a while >before the carrier program would be incriminated, because of the delay >between "innoculation" and full-blown infection (like AIDS). Congratulations! You have just described the "incubation period" that the Mac's SCORES virus has :-). It sits around for 4 days before starting to infect applications, and THEN waits another 2 before doing its nasties to the VULT and ERIC applications. --- Joe M. ========================================================================= Date: Mon, 1 Aug 88 10:27:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Legal implications In-Reply-To: Message of 31 Jul 88 23:10 EDT from "Robert Newberry" Robert Newberry asks: 1. If it is actually legal to start spreading computer diseases. 2. Court decisons on computer disease related cases. Can a victim sue the creator of a virus for loss of important data. In general under common law, that which is not explicitly forbidden is implicilty permitted. Even lying is permitted up to a point. One limit is lying in an attempt to defraud. However, except when it is explicitly restricted in such a way, there is no generic law that could be expected to cover all viruses. I am not aware of any applicable litigation. One should assume that he can be sued for anything. However, the burden of proof is usually on the one bringing suit. He must be able to prove that he was damaged, by the act of another, and that that act was deliberate or, at least, negligent. The proof must be "by a preponderance of the evidence." Proving any of these things by such a test is always difficult. In the case of a virus, it would be very difficult at best. (This information is intended as general information; proper legal counsel should be used to evaluate any case or instance or to guide your behavior.) William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 10:32:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: Resent-From: WHMurray@DOCKMASTER.ARPA Comments: Originally-From: WHMurray@DOCKMASTER.ARPA From: WHMurray@DOCKMASTER.ARPA Subject: "2600" Quarterly, Summer, 1988 The current issue of 2600 carries a lengthy article by Ross Greenberg on viruses and FLUSHOT. In it, he uses very colorful language (much of it ripped off from "Dirty Harry" by Ronbo) to describe those who would perpetrate viruses. Of interest is that this article was published by 2600, "The Hacker Quarterly." This publication has promoted its anti-establishment (not to say anarchist) bias and origins. Does their publication of Ross' article suggest that they are maturing and becoming memebers of the establishment that they have so long opposed? Or, does it suggest that hackers are beginning to recognize that they, perhaps more than others, have an interest in honest labelling of programs? Bill William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 11:15:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: interesting statistic In-Reply-To: Message of 29 Jul 88 17:29 EDT from Woody "No one knows how many viruses have been planted. But John D. McAfee, a virus expert at InterPath Corp., a security consulting firm in Santa Clara, Calif., says there have already been 250,000 outbreaks. He estimates that 40 of the nation's largest industrial companies have been infected..." Another quote that I am glad was not attributed to me. He must be counting every execution as an "outbreak." ( I like F. Cohen's 10K estimate better.) I might agree that "low tens" of "institutions" "may have seen" a virus but "40 of the nation's largest industrial companies have been infected..." seems a little strong. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 1 Aug 88 11:04:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Late Comments Re: previous response to why COMMAND.COM was padded with zeros and the answer was to protect from shipping damage!?? A case for linguistic determinism? I don't think media damage would confine itself to that last portion of the program as if treating the zeros as bubble insulates or was that humor? Or is this humor? Tactics... A relatively effective software strategy for an anti-viral program might be to use the timer interrupt. It is done by installing a TSR which implements two functions: 1- When loaded, it intercepts the timer interrupt vector. It then times its own execution and stores this duration with a checksum. This prevents its interrupt from being preempted by using timing dependencies. 2- At 18 times per second, it compares interrupt vectors for modifications, these are flagged and, if restricted, they are disabled. The resolution is somewhat coarse considering the number of machine instructions that can execute between intervals, but it can effectively arrest the destruction of data. *-----------------------------------------------------------------------* | Kent Cearley | "All truth contains its own | | Management Systems | contradiction" | | University of Colorado | | *-----------------------------------------------------------------------* ========================================================================= Date: Mon, 1 Aug 88 13:16:33 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Robert, I've been looking for laws concerning viruses for some time, and havn't found any. I have located three laws which I will summarize when I have them in front of me. They basically state that it is illegal to enter a computer system that is not their own or that they don't rightly have access to because its a form of breaking an enterring ... fi their computer enters it, they are responsible, or if some program they wrote enters it, they are responsible. It is also illegal to read other people 's mail on the system, even if it is your own companies system. And its illegal to change anything on a system which you were not specidfically asked to change by the user, fi I remember correctly. As for a Wrod Perfect virus. I hadn't considered the implications of the word PERFECT (no pun intended). As I remember, some school had writtena letter to this listserv back in Frebrauary (please excuse my typing ... my terminal will not backspace with this machine), about a word perfect virus (Miami?). They were complaining about it being a varient for m of the brain which would attack the program Word Perfect if memory serves. I'll have to look back through my files for it. Also, 250,000 outbreaks is a bit high. If therey are counting number of disks infected, that might be a little low. We had around 600 disk infected at Lehigh alone with the first outbreak of a virus here. Figures of the Israeli virus put it at around 18000 copies found (althou that number counldn't be backed up by anytone.) Loren ========================================================================= Date: Mon, 1 Aug 88 13:20:13 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Kent, The idea you present makes the microcomputer unusable unless it has multiple motherchips. (Actually, a TSR chip can be added which works like any chip run on interrupts). You cannot implement you idea in software. ========================================================================= Date: Tue, 2 Aug 88 09:08:00 U Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: KAICHEON@ITIVAX Subject: ERIC NEWHOUSE'S BITNET ADDRESS ? Does anybody know how can someone contact Eric Newhouse of DIRTY DOZEN over bitnet? Thanks in advance! ========================================================================= Date: Mon, 1 Aug 88 22:45:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: LYPOWY@UNCAMULT Subject: Re: "2600" Quarterly, Summer, 1988 In-Reply-To: Message of 1 Aug 88 08:32 MDT from "WHMurray at DOCKMASTER.ARPA" I am sending this here because I don't believe I can send mail to WHMurray from here. Could someone please send me some info on 2600 Magazine (in particular subscription information and/or some address where I can request such information). Thanks! Greg Lypowy ========================================================================= Date: Tue, 2 Aug 88 01:31:18 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> A few days ago, I mentioned the possibility of having a conference for the group of us at some time in the future. We have had about forty people say they were interested in such a thing from several areas of the country. We have a few people who wish to discuss various security topics and so on. I believe that if we set a date and place for such a conference, we will get quite a few more responses. I have some comments on the idea: 1) I would like to open it to the press. We could bill it as a big meeting of the minds on virus-theory and how we might be able to stop these destructive programs. 2) I would be happy to set it up, would anyone else like to volunteer to help? 3) I'd like some ideas on how long such a conference would last ... the problem is that some people may end up coming from great distances for it. 4) I prefer to hold such a meeting in the Lehigh Valley area (Allentown/Bethlehem Pa) which is less than an hour from Philadelphia, less than 2 hours from New York City, 5 hours from Boston, and 5 from Washington DC. Its a centralized location with quite a bit of access. If there are any great reservations about this area, we can consider something else. We may be able to get a group together on the East Coast and one together a bit later on the West Coast. If we do this, I'd like to attend both, and I wouldn't mind organizing both. 5) Since we did have some enthusiastic replies to the idea, I believe we can get a decent group together to work on the theories of computer viruses, protection schemes, future computer security and so on. Comments? Loren Keim ========================================================================= Date: Tue, 2 Aug 88 01:44:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Alright, to answer further questions about a virus seminar: 1) Will it cost money? I don't know yet, we're just considering it. I imagine that if we want to make up a booklet for the meeting, we might ask for a donation, or perhaps some of the colleges and companies out there might donate a small amount of money with the promise of us putting an add for them in the package. We may also need to rent some conference rooms, although I think I can get some. And if the group is small (although I doubt it will be) we might hold a dinner of some sort. 2) When will it be? Again, we're just discussing the idea. Unfortunately, for college professors and associates, school is starting shortly and I doubt we'll get something in before it starts, but I don't think we'll have a problem if its early in the semester. What would you think of the second weekend in September? Earlier, later? 3) How far is the Lehigh Valley from Trenton, Princeton, and Pittsburg. Ugh! Its on the map. The Allentown area is about an hour and a quarter from Trenton if memory serves, I have't been there since the Trenton Computer Faire. I have't the slightest idea how far it is from Trenton, I haven't been there in a while. But for the New Jersey people, its an hour from Morristown, 3 hours from Atlantic City (max, some people make it in less), and an hour and a quarter to a half from Camden. You can figure out the rest. Its about 4 1/2 - 6 hours from Pittsburg. I've gotten all sorts of conflicting times on that. It takes me 4 1/2 hours, you slow drivers may take a bit longer. Its an hour and a half from Harrisburg, an hour and a half from Lancaster. People who are farther than Pittsburg may want to fly. I think its a 15 minute hop from Chicago for only 35 bucks. And no, Karen, we are not a "hick town". The Valley has 700,000 people in it. Granted, we're not New York City, but we hold our own in terms of metropolitan areas. Incidently, we have 3 sky scrapers (wow!). We're also home to AT&T research (Bell Labs and several other AT&T plants), Air Products, Bethlehem Steel, Mack Trucks and Union Pacific. Its a very nice area to live. Loren ========================================================================= Date: Tue, 2 Aug 88 08:38:22 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message from "Chris Bracy" of Jul 31, 88 at 12:32 (midnight) >GARY SAMEK writes: > >> When a virus gets into command.com, it is very difficult to stop it from >>spreading if it is well written. > >I dont see why a virus in command.com is any harder to trap than a virus >in any other program. Command.com is just a .com file like any other .com >file except in purpose. Its structure is similar, and (theoretically) only >makes its calls thru dos. The Int 21 handlers are NOT part of command.com. > > No casual test of the date of creation, or even the file size will trap the inclusion of a virus into command.com. The 4000 byte space left at the end of that program allows for room to enter a sizable virus. Even my favorite scheme of checking the CRC can easily be defeated if the virus writer knows what CRC formula I use by the simple addition of 2 bytes of non-executable code to fix the CRC and return it to its original value. Even if there were not room for a sizable virus, the scheme (already used) of putting a program onto disk and marking that disk area as bad in the FAT, and then linking that area into your code can would afford all of the space needed. Watching command.com and other files that matter with a CRC formula that is different from that others use is one of the best ways I know to detect infection (albeit after it happens). + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 2 Aug 88 13:07:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Alright, alright, The people from the West Coast say there are more people working on viruses on that coast, so we should start there. The people from the East Coast agree that it should be here. The people from the middle states tell us that we should have a nationally centralized location. Eep. I didn't mean to start a war. I'd like people who are interested in such a conference to reply to me as to where they wouldn't mind traveling for the conference. Would they mind coming to the East Coast, would they mind meeting somewhere in the middle states, and so on. Reply to LKK0@LEHIGH.Bitnet (excuse my last letter which incorrectly stated where I was). Loren ========================================================================= Date: Tue, 2 Aug 88 15:28:01 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Trapping Disk Calls You won't catch my virus by watching for DOS calls, because I won't use them. You won't catch my virus by watching for BIOS calls, because I won't use them. Since every one knows where DOS and BIOS keep the information about your hard disk and everyone knows what port addresses do what on a PC compatible, I'll just access the hardware directly. It may be more trouble, but its also a sure-fire way to eat your FAT tables and/or insert myself into any program I wish. Face it - the IBM 'open architecture' was a great idea for clone manufacturers; but now everyone uses the same BIOS data areas and the same port addresses in the interests of compatibility, so there is no mystery about how to get your hands on the hardware. Command.com is a great place to hide a virus, not only because it has room for it, but also because it gets executed immediately after your autoexec, so your chances of catching the virus depend upon what you do in autoexec. Also, everyone has command.com and everyone uses it all the time, so it has lots of chances of spreading an infection. The AIDS slogan is safe sex or no sex. Apply the same or greater caution to your computer! Art ========================================================================= Date: Tue, 2 Aug 88 15:37:05 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: forwarded comments on VIRSIM program Here are some comments on the VIRSIM package, from Jim Crooks: Ken From: Jim Crooks <JIM@ISS.NUS.AC.SG> Subject: RE: VIRSIM In Reply To: message from <VIRUS-L@LEHIIBM1.BITNET> of 7-20-88, (Andrew Vaught <29284843@wsuvm1>) In some ways, a program like VIRSIM is a good idea *IF* it is well written and *IF* it is updated frequently to reflect the leading edge of virology. At least it would provide a benchmark against which we could measure the masses of anti-viral software that have been appearing lately. If one can incorporate all known threats in the test, then at least we will know what protection we are buying (or not buying) with a package. Since a recycled known virus can cause as much grief as new one if it finds a loophole in your defenses. The risks are as follows: - new methods of attack will be developed to circumvent current defense mechanisms - as has been stated previously, a simulator will give a false sense of security - a well documented simulator will unfortunately provide a source of viral techniques for the bad guys. The only way to do a better job of anti-virus work is to actively research it - but then the fellow who taught VIRUS-101 caught a lot of flack didn't he, so it would be a fairly dicey process to say the least... Can someone send me the address of NBBS or Interpath - tnx. James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Tue, 2 Aug 88 15:39:27 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Forwarded legal comments from J.D. Abolins I received this file which was sent to VIRUS-L from OJA@NCCIBM1 : [Note J.D. - you can't send files to the list, only mail. Ken] >Robert, I've been looking for laws concerning viruses for >some time, and havn't found any. I have located three laws >which I will summarize when I have them in front of me. >They basically state that it is illegal to enter a computer >system that is not their own or that they don't rightly >have access to because its a form of breaking an enterring >... fi their computer enters it, they are responsible, or >if some program they wrote enters it, they are responsible. >It is also illegal to read other people 's mail on the >system, even if it is your own companies system. And >its illegal to change anything on a system which you were >not specidfically asked to change by the user, fi I remember >correctly. The three legal points are pretty the basic tools for dealing with computer crime. Here's the listing of the legal action from what I have seen-- 1) Breaking and Entering variants, including illegal systems access 2) Fraud. This is evident for computer acts which produce a financial benefit to the perpretrator. (This has not been seen in any viruses to date.) In the case of the British Telecomm hackers, a fraud law was used to bring the fellows to trial for hacking into Prince Charles's e-mail. 3) Sabotage and it's variants. (If the malicious program was shown to be delieberately used against am installation.) 4) Electronic Communications Privacy Act (ECPA) regarding e-mail privacy. (I'll send up a rought text and analysis soon.) 5) The various state laws regarding computers. Computer law is in its infancy. Most attempts to prosecute are based upon existing laws. >Also, 250,000 outbreaks is a bit high. If therey are counting number >of disks infected, that might be a little low. We had around 600 disk >infected at Lehigh alone with the first outbreak of a virus here. >Figures of the Israeli virus put it at around 18000 copies found (althou >that number counldn't be backed up by anytone.) About the counts, it does depend upon what was counted- installations, computers, disks, potentially affected disks, people affected by the affected disks, etc. Also, about the counts of the typeso f viruses, there is a major problem- lack of nomeclature (naming) conventions. This is compunded by the rapid stream of virus reports. Many times, the reports may change the name of case and future article writers get the impression that it is a new case. This happened with the Hebrew University case; it has been called "Hebrew University virus", "Israeli virus", "PLO virus", "Friday the 13th virus", etc. From writing articles about viruses and other things, I have seen how easy it easy for jumbling of facts, especially if only secondary and tertiary sources are used. Finally, the fact that the viruses are codes that are embedded in files complicate identification. (This makes the "Dirty Dozen listing" approach more difficult. Rather than giving a common file name of the malicious program (which is helpful for trojan horses, until someone changes the filename), the viruses need to be described by mode of transmission, attack, symptoms, etc. J. D. Abolins Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Tue, 2 Aug 88 22:16:05 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus/Computer Security Conference results Wow! We've have quite a few comments, questions and preferences come in today. I'll give you a quick run down and try to answer some of the overlapping questions. We've had 18 votes for the East Coast, 2 votes for the middle states, 3 people who said they didn't care because they'd have to fly over the ocean to get here anyway and NO votes for the West Coast (surprize!). I would like you to keep sending me mail and suggestions, we'll see how the majority of people feel, but we'll need to know quickly if we want to set this up. Most people believe we should have a weekend-long conference, rather than a day because some are willing to fly in for it and because we have so many people interested in the subject. I agree. I'd like to thank Craig Pepmiller for his suggestions, and his "sample weekend" which outlays a set of possible conferences. I also that all the people who had suggestions for specific people to speak. The names to come up the most were: Several people for Y. Radai, several people for Fred Cohen, several people for me (honest, I didn't say a thing!), and one person who asked for a member of Panda systems to speak. As well we had two people ask if we could get Robert Slade to bring his material on viruses down, 3 people who wanted to know where they could get copies of Fred Cohen's booklets (I have some material, but not all), and if they could get copies of my book (It ISN'T published yet!) We had questions about hotel accomodations and expenses. I think we will have to end up charging something so we can have food at the conference, coffee, donuts, and so on. It will be a non-profit conference however. Also, for overnight guests, we'll need hotel accomodations. If any companies are interested in donations??? We were asked whether or not this would be an "official" conference, so it could be university sponsored by different universities. Yes, I don't see a problem with that. I also see no problem with sending personal invitations to help get colleges to pay for certain people's trips to the conference. Craig also suggested that for people who cannot get to the conference, have it video taped. I like that idea. If anyone has suggestions for topics, please send them. As well, several people suggested that we have the speeches published and sent out to whoever wants them and can't make it. I see no problem with that, but we'll probably have to charge a small fee for it. I was incorrect on my time from Chicago to ABE airport. It is not 15 minutes, it is more like an hour. Prices are still in question however, I will check them. Prof. Larky also points out that ABE is serviced by United, USAir, Northwest, Eastern and several regional airports. For people who asked whether the Lehigh Valley has any computer significance... BITE YOUR TONGUE! Charles Brown (anyone remember him) was out here a while back to give a speech. He told us that the Lehigh Valley was the original, the one and ONLY silicon valley. The Valley, he said, is where the computer was conceived and where the microchip was first invented. We also have Bell Labs here, AT&T solid state labs, AT&T, Bell Atlantic, a small IBM outpost, Unisys, Digital servicing, Lehigh University, Homer Research Labs, and quite a few other little places. (We don't have HP or Epson out here, and that has always depressed me.) That is all for now, I'll have more as it developes. Keep the comments coming in, and I will set up a definitive date, a definite place and schedule it. Again, we had one volunteer to work on the conference and three others that hinted at it. Anyone interested on helping? Thank you, Loren Keim Also, for the person who mentioned that I don't have headers and that makes life difficult, I am sorry, I'll try to remember to put headers on from now on. We are using IBM equipment though, so instead of Digital equipment asking for a header, we must physically tab to the header field and insert one (Horrors, a machine that doesn't do it for me!) ========================================================================= Date: Tue, 2 Aug 88 22:26:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Notes Another quick note: Some questions came up from various people that I neglected to answer. WHEN would we have such a conference. If we hold it too soon, people won't have time to plan it into their schedules, but if we have it this year yet and after mid October, we're running the risk of hitting Prof's midterms and finals. I'm leaning towards the second weekend in October. I'd also like to know if enough people would be interested in attending. We've had around 60 replies, but that doesn't mean they are definitely coming. I'd like to know who is seriously interested in such a conference so we can plan ahead. I don't see a serious problem because we are said to have around 6000 people on this listserv (this is an unsupported number because this is a closed listserv and we cannot ask it who is on or how many). We've also gotten some final comments asking "Oh Where Oh Where is David Slade?" Loren Keim ========================================================================= Date: Wed, 3 Aug 88 10:27:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Conference Notes In-Reply-To: Message of Tue, 2 Aug 88 22:26:50 EDT from <LKK0@LEHIGH> Loren states that there are 6000 people on this forum. Loren, I don't know where you got that number but, for the record, there are approximately 450 current subscribers to the list, including about 15 to 20 redistribution points with an unknown number of readers at each. Just thought that I'd clear that up... Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Wed, 3 Aug 88 10:56:52 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: OJA@NCCIBM1 Re; occaision requests for means of contacting Eric Newhouse Since this request pops up about every couple of months, I'll leave the answer on the list.... Eric Newhouse has no BitNet access at this time. He can be accessed though the BBS he runs- The Crest BBS in Los Angeles, CA. : (213) 471-2518 His mailing address is Eric Newhouse 1834 Old Orchard Rd. Los Angeles, CA 90049 USA If anyone wants to relay messages to him, I am willing to do it since I call him on the BBS twice a month at least. (Do I ever need PC Pursuit! :-) No ad intended, just a comment on modem weary phone bill.) In a few months, a couple of the BBS systems that I work with are seeking to add the capability to connect to USENET. Maybe with a more "PC-ready" access, Eric Newhouse can have a BITNET link. Thank you. PS: Ken, my apologies for the file slipping through. Still experimenting with the various TRANSMIT options that are supposed to turn files into messages. If any is using TRANSMIT on a MVS / TSO system, please let me know how you do it. Thank you. ========================================================================= Date: Wed, 3 Aug 88 12:32:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Notes First, thanks Ken for clearing up the number of people on the list. I thought my information was a bit nhigh. (Shame, Chris, Shame). Second, we've gotten quite a few interesting comments on speakers. We've gotten more people asking for speakers. The only new addition is Dr. Highland. I am unfamiliar with him, or perhaps I'm not putting him in the right context. The majority of people who wrote asked about panel conferences. To tell the truth, I would rather have a few speeches given, and have some roundtable discussion groups. I'm sure some would be interested in listending to lectures, but I think we'd bget a bit more out of some discussion groups as well. We had two people also ask that the conference be located near Philadelpihia. Again, if we hold it in the Valley or at Lehigh, we are 45 minutes up route 309 (Broad St Philly)... provided you don't hit too many lights. Or an hour and 15 min up the turnpike. I'd still klike to hear from people interested in the conference and I'd like to know if the second weekend in October is stoo early. I am sure I can set up a good conference by that time, I'm more worried about people working it into their schedules. Regarding Hotels, we have quite a variety orf them. The range is 28 dollars a night up to 115 dollars a night. You can get very nice accomodations here for around 35 a night, or even nice accomodations for a little less. The total conference cost (without hotel) we could probably squeeze in for around 25.00 including a dinner. I have checked and we can hold a nice banquet for about 35 a person, and we can add on another 5-15 for snacks at the conference, booklets to go lalong withthe conference. Any preference? Loren ========================================================================= Date: Wed, 3 Aug 88 12:38:40 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Speakers Aha! Dr. highland is editor of Computers and Security. We have also had two suggestions to add a bit onto the pricetag of the conference inorder to help pad the trips of keynote speakers to the conference. Suggestions? Loren Keim ========================================================================= Date: Wed, 3 Aug 88 16:44:27 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Naama Zahavi-Ely <ELINZE@YALEVM> Subject: Virus outbreak -- Brain type? Hello! We seem to have a small outbreak of a virus here at Yale University. The virus resides on the boot sector of any diskette (DSDD or DSHD -- we did not try any 3.5" disks). It does not seem to infect hard disks. Typically, somebody would try to start a computer with an infected disk and get only a blinking cursor. When the computer would not start normally, the user would get some other system disk and do a warm boot. At this stage, if the new system disk is not write-protected, the viral code gets written onto its boot sector and the user still has a blinking cursor only. If the new system disk is write-protected, the machine seems to start normally; however, the virus code is still in memory and any subsequent warm boot with a non-write-protected disk infects that disk. Any other disk accesses -- format, copy, dir, del, cd -- do not seem to spread this virus. As far as I can tell, this seems to be a variant of the Brain virus; however, there is no Brain or brain signature anywhere in it (or any other recognizable text, for that matter). The obvious solution would be to educate users to use write-protected boot disks and to cold-boot the computer whenever they start a session. Is there anything else we should watch out for? Doe anybody have any experience with this specific virus? We'll be glad for any help! Thank you in advance, Naama Zahavi-Ely <ELINZE@YALEVM.BITNET> Staff Resource Specialist Project ELI Yale University (203) 432-6600 ext.341 ========================================================================= Date: Wed, 3 Aug 88 14:03:54 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: James Ford <JFORD1@UA1VM> Subject: Flushot3 WARNING! A hacked program called (oddly enough) FLUSHOT3 is on the loose. This program is apparently a true virus. People interested in this should contact: Tom Sobczak 2580 Grand Av. Baldwin NY 11510 (516) 867-3550 The program was found infecting the computers of a well known communications company. I do not personally know this person, but he is looking for info on virii (basically, re-occuring infection patterns, etc). He would like any/all information, and will exchange with you whatever information he has. James ========================================================================= Date: Thu, 4 Aug 88 18:18:00 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: John Stewart <JSTEWART@SFAUSTIN> Subject: RE: Campus virus letter To the group: (especially Len Levine) I reviewed your virus letter that you put on the list last Wednesday, and I found it to be very useful. I am in the process of researching, and preparing much the same type of paper for our university. I do have a couple of suggestions that you may find useful, and then again you may not.... I agree with the earlier posting (I forgot who it was), which criticized the grave tone of a good bit of the paper. I don't know about your university, but I don't feel that we are in that deep of a threat of our own students inventing such beastly programs. I say this because I myself am a student, and I know the majority of the Computer Science types on the campus. I simply don't feel that anyone here has that much knowledge and capability. (You must realize that I attend a smaller university than most... we average 13,000 students in the Fall over the past couple of years). What I do fear is the HIGH probability that these students have been in contact with some of the other students at other universities and will, either on accident or on purpose, return with some sort of Virus program in their software. You mentioned in your posting that 'your audience will be faculty and staff who are reasonable, but do not understand computers or computering'. I feel that this is a good estimate of my intentions for my audience. With this in mind I feel that the material needs to be explained a little better. Not even ALL of our Computer Science majors know what a Virus is, I surely don't expect a chemistry professor to deduce my meaning of a VIRUS in the context of the article. With this in mind I have decided to begin my article with a definition or two, positively to include that of a VIRUS. THIS IS WHERE I WOULD LIKE SOME HELP FROM 'THE GROUP'. Below I will _attempt_ to derive some sort of definition, and would greatly appreciate any and all criticism and suggestions! Computer Virus - A program which poisons ones computer software. A program which is usually capable of attaching itself to other programs upon the execution of any number of DOS commands. Usually written with malicious intent, capable of performing any task from displaying a simple message, to destroying hardware AND software. These programs can be made to execute their mailicous acts upon any pre-determined sequence of events, such as a certain keystroke or at a specified date and time. These programs usually are not visible by the simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. ..well? Please, I make no attempt at declaring myself to be a VIRUS expert, or even extensively knowledgeable of them. I merely do the best I can. I would appreciate any hints, revisions, advice, etc. Finally, thank you Len for providing the article to base our defenses upon. +------------------------------------------------------------------------------+ : John Stewart Net Address jstewart@sfaustin.BITNET : : Technical/Academic Support Programmer Office (409) 568-1020 : : Stephen F. Austin State University Modem (409) 568-1334 : : Nacogdoches, Tx 75962 (U.S.A.) : +------------------------------------------------------------------------------+ ========================================================================= Date: Thu, 4 Aug 88 17:59:20 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: MESSAGE AGENT <franklin@ORION.CF.UCI.EDU> Subject: Re: Flushot3 Dear Virus Discussion List, This is an automatic reply. Feel free to send additional mail, as only this one notice will be generated. The following is a prerecorded message, sent for Stephen D. Franklin I'm away from e-mail until 11 August. -- sdf ========================================================================= Date: Fri, 5 Aug 88 07:48:52 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: RE: Campus virus letter In-Reply-To: Message of Thu, 4 Aug 88 18:18:00 CDT from <JSTEWART@SFAUSTIN> > I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply >don't >feel that anyone here has that much knowledge and capability. You'd be surprised... The sad fact is that writing a relatively simple virus does not require all that much knowledge and/or capability. The average CS student (particularly one who's done some 8088) could write a PC virus in very little time. All it takes is the inclination to do so. I'm sure that none of your university's students are ever disgruntled for one reason or another...? >realize >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). Lehigh has about 6000 (4000 undergrad, 2000 grad)... >What I do fear is the HIGH >probability >that these students have been in contact with some of the other students at >other universities... That's definitely a real threat, but don't write off an inside job. >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious >intent, >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. Sounds a little like terror tactics, imho. Fred Cohen's definition of a virus goes something like - A program which attaches itself to another program and, upon interpretation, copies (a possibly evolved version of) itself to other program(s). (This isn't verbatim, but the jist of it is pretty much the same...) Perhaps if you start by just defining a virus for what it is, and point out that a virus can also carry a Trojan horse which can be triggered to be activated sometime in the future. It's probably not a good idea to hype up the idea of a virus; just treat it as a program like any other program. My opinion... Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 09:30:16 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Russell Nelson <nelson@CLUTX.CLARKSON.EDU> Subject: How to convince I'm Clarkson's micro wizard. If we get hit with a virus, everyone will turn to me to fix it. I'm the recognized expert. However, when I cry "virus coming", no one believes me. They all believe in the ostrich theory of virus prevention--don't talk about it and the students won't write/import them. Fortunately, they do think that people should be warned to reboot before using a public machine. Is there any validity to their point or *should* we tell the students about viruses? -russ ========================================================================= Date: Fri, 5 Aug 88 10:20:20 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from <nelson@CLUTX.CLARKSON.EDU> >Is there any validity to their point or *should* we tell the students >about viruses? I think that our case, here at Lehigh, shoots their "ostrich theory" down the tubes; we didn't tell our students about viruses, and we did get infected by a virus. Prior to the attack, there was little in the way of virus education, with the notable exception of Dr. Cohen's course in Computer Security. It's possible that one of his students learned about viruses from his course...but that is largely a moot point now with all of the publicity that viruses have received in the last 8 months or so. My feeling is that *not* telling them about viruses, at this point, is the danger; they've probably already heard about them, and may even feel like experimenting now. The reason that it is dangerous to not tell them is that they (currently) have no way of knowing what dangers exist other than what they may have read in the press... Tell/warn them about viruses and they might a) be more careful in sharing programs, b) make safe backups to protect themselves, c) try to write their own. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 10:09:17 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Naama Zahavi-Ely <ELINZE@YALEVM> Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from <nelson@CLUTX.CLARKSON.EDU> I am not sure that detailed warnings about viruses are necessary (there are so many rumors about them anyway). I do think one should warn users to take the following precautions: 1. Use a write-protected system disk whenever possible. 2. When you start using a public machine, TURN IT OFF first, then turn it on with your system disk in drive A. Just booting (warm booting) would not be enough -- we had a virus that spread itself that way. Naama Zahavi-Ely Yale University ========================================================================= Date: Fri, 5 Aug 88 12:47:19 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Viruses - The Unspoken Word Russ, I think we've had quite a few of these arguments before about teaching fviruses. I don't think it was the oworldn't (Again please excuse my typing, this modem program hates my backspace), I don't think it wwas the swiftest idea in the world to publicly announce how to defeat systems, but then didn't popular Mechanics tell us how to create an atomic bomb? Ken, I hate to correct you, but Fred taugh t a feull course on computer security, he went over viruses in detail and he taught quite a few seminars on the theory, if I remembr correctly. He also ha gave out copies of his theisis on viruses and asked several students to write viruses for him including John Hunt I f memory serves. He also wenet over his articles and they were posted on bulletin boards. To me that is teaching viruses, and I honestly think that because he tautght them, we received one. Someone tells me that he weven went over command com viruses as an example one time. Now, Fred tells us that we are lucky he discovered viruses before someone else did. He might be right. But the people from University of California and people from the AI systems here at Lehigh tell me that all he did was create waves and destory machines. Whether or not he himself did damage, 3 differenct colleges tell me hie did. Is this proliferation of viruses do to his talks and papers? Or would it have eventually come anyway? Teh flipside is that many people calim viruses have been with us since 1972, but they were small and didn't hit very hard because all systems were unconnected and in the hands of computer experts, where now we have large noetworks and eveybody has a computer ]and doesn't know much abou tit. At this point itn time, we've had afar too many problems to try to quiet the subject. If students don't hear it forom you, they will hear it elsewhere. I think it ifs a good idea to wram (arn ... WARN) people of the potential problems. (That's it, I'm going out and getting a new modem program. Or a copy of Kermit would do it). Loren ========================================================================= Date: Fri, 5 Aug 88 14:36:17 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Viruses - The Unspoken Word In-Reply-To: Message of Fri, 5 Aug 88 12:47:19 EDT from <LKK0@LEHIGH> >Ken, I hate to correct you, but Fred taugh t a feull course >... >bulletin boards. True. I should have been more specific, and I did say that Dr. Cohen's course was a notable exception. What I meant was that we, the Computing Center, didn't educate our computer users, as a whole, on viruses. Yes, many students took Dr. Cohen's course, and they should've been knowledgable on viruses, but I did mean the computing community, as a whole. As for whether teaching about viruses catalyzes the problem or not, I still feel that it largely a moot point since the cat *is* out of the bag, so to speak. The best that we can do at this point is to warn our users of the potential for disaster. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Fri, 5 Aug 88 13:27:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Timer TSR's >You cannot implement this idea in software. Loren - Its actually not as hard as I made it sound(?). The 8253 timer chip on the PC (8254 on the AT) invokes IRQ 8 18.2 times per second by default. This interrupt can be trapped by the TSR. 18.2 is not etched in silicon, channel 0 of this chip can be modified for faster intervals. This technique allows a simple method for multi-tasking PC applications and can be employed to implement the strategy I discussed. >The idea you present makes the microcomputer unusable unless it >has multiple motherchips. This occurs transparently to any application currently executing in the PC. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* ========================================================================= Date: Fri, 5 Aug 88 15:36:01 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Campus virus letter In-Reply-To: Message from "John Stewart" of Aug 4, 88 at 6:18 pm > >To the group: (especially Len Levine) > > I reviewed your virus letter that you put on the list last Wednesday, >and I found it to be very useful. I am in the process of researching, and >preparing much the same type of paper for our university. I do have a couple o f >suggestions that you may find useful, and then again you may not.... > I agree with the earlier posting (I forgot who it was), which criticized >the grave tone of a good bit of the paper. I don't know about your university, >but I don't feel that we are in that deep of a threat of our own students >inventing such beastly programs. I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply don' t >feel that anyone here has that much knowledge and capability. (You must realiz e >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). What I do fear is the HIGH probabilit y >that these students have been in contact with some of the other students at >other universities and will, either on accident or on purpose, return with some >sort of Virus program in their software. > You mentioned in your posting that 'your audience will be faculty and staf f >who are reasonable, but do not understand computers or computering'. I feel >that this is a good estimate of my intentions for my audience. With this in >mind I feel that the material needs to be explained a little better. Not even >ALL of our Computer Science majors know what a Virus is, I surely don't expect >a chemistry professor to deduce my meaning of a VIRUS in the context of the >article. With this in mind I have decided to begin my article with a definitio n >or two, positively to include that of a VIRUS. THIS IS WHERE I WOULD LIKE SOME >HELP FROM 'THE GROUP'. Below I will _attempt_ to derive some sort of >definition, and would greatly appreciate any and all criticism and suggestions! > >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious intent , >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. > >..well? Please, I make no attempt at declaring myself to be a VIRUS expert, or >even extensively knowledgeable of them. I merely do the best I can. I would >appreciate any hints, revisions, advice, etc. > > Finally, thank you Len for providing the article to base our defenses upon. I received several letters like this, and will rewrite the first sections of the memo to reflect this. Thanks. I will send the final copy to this net and expect that people will steal freely from it. thanks for the help. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Fri, 5 Aug 88 18:11:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Timer Ticks >>You cannot implement this idea in software. >Loren - Its actually not as hard as I made it sound(?). The 8253 > timer chip on the PC (8254 on the AT) invokes IRQ 8 > 18.2 times per second by default. This interrupt can be > trapped by the TSR. 18.2 is not etched in silicon, channel > 0 of this chip can be modified for faster intervals. > This technique allows a simple method for multi-tasking > PC applications and can be employed to implement the strategy > I discussed. It's not all that easy. DOS (and BIOS) are not re-entrant, so you would not be able to use any DOS or BIOS calls in your program since you would not know who was doing what where when you got the tick. Of course, like all other TSR's you'd have contention problems with the timer tick. What about all the other people (including DOS) who expect that tick to be at 18.2? Art Larky CSEE Dept Lehigh Univ BBS: (215) 974-4068 >>The idea you present makes the microcomputer unusable unless it >>has multiple motherchips. > This occurs transparently to any application currently > executing in the PC. > Kent Cearley | CEARLEY_K@COLORADO.BITNET | ========================================================================= Date: Fri, 5 Aug 88 21:22:18 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: Virii and Screen Output Given the open memory of DOS and the fact that (it seems) any program can take over the memory space of any other program, and also the fact that ROM BIOS calls can be used to create screen output, is it possible to create a virus which, after insertion into a program is undetectable by a program like LIST.COM or a sector editor? In other words, once the virus knows that a program is doing a disk read of the section it's hiding in, can this hypothetical virus then fool the system into thinking that the legitimate code is still in place? I think that the capability to examine sectors on a disk is a big help in combatting these things and wonder whether a clever virus could mask its existence in this fashion. ========================================================================= Date: Fri, 5 Aug 88 23:29:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virii and Screen Output In-Reply-To: Message of 5 Aug 88 21:22 EDT from "David.Slonosky%QUEENSU.CA at CUNYVM.CUNY.EDU" >....is it possible to create a virus which, after insertion into a program is >undetectable by a program like LIST.COM or a sector editor? The short, obvious and trivial answer to your question is that if you can conceive it, and if it could be done by any other program, then it can be done by a virus. Bill ========================================================================= Date: Fri, 5 Aug 88 23:44:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: How to convince In-Reply-To: Message of 5 Aug 88 09:30 EDT from "Russell Nelson" >Is there any validity to their point or *should* we tell the students >about viruses? I do not know, but I do think that it is a good idea to teach them good hygiene. We teach small children to wash their hands long before they know about disease or how it is spread. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 6 Aug 88 07:46:53 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Gerbil virus? Loren - in reading a previous VIRUS-L posting of yours, I see that you mention having knowledge of a Gerbil virus. Could you please tell us more about that specific virus? Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Sat, 6 Aug 88 10:41:49 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David M. Chess" <CHESS@YKTVMV> Subject: Viruses and Screen Output David.Slonosky@QUEENSU.CA wonders if a very clever virus couldn't "hide" really well by subverting the output from sector-examiners and things, to lie about the true condition of the disk, and make it look like things are normal (uninfected). As someone else said, the answer is sort of "yes". On the other hand, the simple way to do this (just intercepting the BIOS calls to read the sector of the disk that the virus is on, and returning a false "uninfected" image of the sector to the caller), won't really work for a virus, for the simple and amusing reason that such a virus could hardly spread! When you did a COPY, or a LOAD-AND-EXECUTE, or a boot, or whatever, the system would call BIOS to get the code to execute, the virus would intercept that call and return an uninfected image, the system would then copy (or load, or boot from) that uninfected image, and it would be as though the virus never existed! So it wouldn't spread very well. To make this work, a virus would have to be REAL clever, and present an uninfected image when examination was being done, but an infected image when the data was actually going to be used as code. Sounds sort of hard to do, to say the least... Not to say that it's impossible, of course. But it's not as simple as it might seem. DC========================================================================= Date: Mon, 8 Aug 88 00:59:40 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: Re: Virii and Screen Output In-Reply-To: Your message of Fri, 5 Aug 88 21:22:18 EDT David Slonosky's idea of a virus concealing itself is quite interesting, but there is a reason I don't think it could work. To really hide, the virus would have to remember the code it was overwriting. Otherwise, finding a chunk of $00s or No-ops in the middle of your code would be pretty suspicious (unless you're looking at COMMAND.COM :-) Anyway, while we all know of the CS1001 problem "write a program that prints itself", this is not that simple. It can't easily print (what's supposed to be) itself since it has no place to put it. It could of course find some spare sectors on the disk, but how is it going to keep from overwriting info kept by another copy of itself? It would have to keep its own directory. How can it prevent DOS from using its sectors (which are free, as far as DOS knows)? It would have to infect DOS. Etc. Etc. Etc. The point is, this virus rapidly grows so complex that it couldn't hide. The original copy would be huge, and it would have a significant effect on the system. Of course, this brings up the nightmareish possibility of a program like this running on a mainframe with enough power that its overhead wouldn't be noticed (or it could doctor CPU usage tables while it was at it...). The only protection against this is the fact that the innards of the OS are protected on mainframes. However, if a superuser (or whatever) was dumb enough to run the necessary trojan... Yuck. ========================================================================= Date: Mon, 8 Aug 88 09:12:05 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Forwarded info on U.S. virus legislation For everyone who's been interested in computer virus legislation, here's a proposed U.S. bill on just that. This was sent in by Joseph Beckman (thank you!). Ken From: "Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA> Subject: Virus Bill "Computer Virus Eradication Act of 1988" (a) Whoever knowingly -- (1) inserts into a program for a computer information or commands, knowing or having reason to believe that such information or commands will cause loss to users of a computer on which such program is run or to those who rely on information processed on such computer; and (2) provides such program to others in circumstances in which those others do not know of the insertion or its effects; or attempts to do so, shall, if any of such conduct affects interstate or foreign commerce, be fined under this title or imprisoned not more than 10 years, or both. Entered July 14th 1988 by Mr. Herger (congressman from CA) for himself and Mr. Carr; referred to Committee on the Judiciary, to amend title 18. Joseph Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: <luken@Spot.CC.Lehigh.EDU> Gang: Not me! Not me! ... BITNET: <LUKEN@LEHIIBM1> Opus: Eeeeeep! Eeeeeep! ========================================================================= Date: Mon, 8 Aug 88 09:13:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: the Preserver <VISHNU@UFPINE> Subject: Washing your hands Someone recently advocated the teaching of "viral hygiene" to joe average computer user while keeping "virus writing" to the experts ( a poor paraphrase, but it gets the point across). This is the wrong attitude. Viruses are a part of the current computing environment, so are worms, trojans, etc... Educating users in prevention is necessary to stem the amount of damage done by these destructive programs. However, if the future computing environments are going to be better, computer diseases 101 had best be taught. The field of computing is growing at an incredible rate and in this growth, nowhere do we see a system completely foolproof. Why not? Because the system designers didnt know about the various kinds of computer diseases. The CIS students of today will be tommorows programmers, educating them now about how virii work, detection schemes, security controls and pitfalls, will in the long run make virus writing something undertaken only by a few experts, instead of the situation we have now where combatting viruses is undertaken by only a few experts and every joe hacker on the street can create a virus for the expert virus hunters to track down. Les Hill vishnu@pine.circa.ufl.edu vishnu@ufpine ========================================================================= Date: Mon, 8 Aug 88 10:44:09 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Flushot Plus 1.4 I have not been subscribing to the Virus List lately, but since I had a question concerning Ross Greenberg's Flushot Plus 1.4, I figured someone here might have an answer for me. Please carbon replies to me. I have an AT-clone and have always tried the Flushot programs (and as I figured out by losing my CMOS memory) - they did me no good. Anyway, I've been using version 1.4 (which was released July 13, 1988) and haven't had any problems (fatal) until today. While using Procomm Plus Test Drive v.1.1 my computer rebooted without me touching any keys. I wondered what was going on, and it rebooted several times. The only change in my system is that now I have FSP14 running. Has anyone else experienced similar problems? (I am unsure that FSP is the culprit, but have eliminated all other possibilities.) One other question that I have concerns my CMOS memory. I have FSP checking my CMOS, and it doesn't erase it like the last version, but WHY when I boot off my hard disk and try to read a floppy does it warn me that "CMOS IS BEING WRITTEN TO"??? Should reading a floppy disk have any effect on CMOS, or is this another annoying bug in Ross's program? Please forward any comments to DAB3@LEHIGH. Thank you, David Bader ========================================================================= Date: Mon, 8 Aug 88 10:08:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Last Reply Art, just a couple of points... > It's not all that easy. DOS (and BIOS) are not re-entrant, so you >would not be able to use any DOS or BIOS calls in your program since >you would not know who was doing what where when you got the tick. >Of course, like all other TSR's you'd have contention problems with >the timer tick. What about all the other people (including DOS) >who expect that tick to be at 18.2? BIOS is, in fact, reentrant. The TSR would not need to rely on any of these services, however, it would merely check interrupt vectors in memory for modifications. You are right about the clock ticks; if you reset the value time might get a little twisted, however, I believe you can also employ Channel 2, normally used for the speaker, but maybe 18.2 would be the resolution you are stuck with. This tactic was really another approach to intercepting a virus which relies on obtaining control from system interrupts. Its utility would be its function in a more comprehensive strategy. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* ========================================================================= Date: Mon, 8 Aug 88 12:53:18 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Christian J. Haller" <CJH@CORNELLA> Subject: Re: Washing your hands In reply to Les Hill (the Preserver <VISHNU@UFPINE>): >Someone recently advocated the teaching of "viral hygiene" to joe average >computer user while keeping "virus writing" to the experts ( a poor paraphrase, >but it gets the point across). This is the wrong attitude. I think it's the most practical approach we can advocate, in general. > Viruses are a >part of the current computing environment, so are worms, trojans, etc... Only if you expose yourself to them. If you don't try out stuff from uncertain origins, they are not part of YOUR computing environment. >Educating users in prevention is necessary to stem the amount of damage done >by these destructive programs. However, if the future computing environments >are going to be better, computer diseases 101 had best be taught. But not every user has to take it! Give us a break. How much does even a Medical College graduate know about the life cycle of Rift Valley Fever? How much does the average person need to know about how colds operate? Sure, thay should know what viruses are, and how you can't treat a virus with antibiotics, but they shouldn't have to be taught in detail about each of the 127 or more diseases we call colds. It would be useless information to the average person, and a waste of time. Similarly with computer viruses and Trojan Horses, etc.: most users should be aware that such things exist, and know enough about how they work to have a chance of recognizing one when they see its tracks. They should learn some simple rules of hygiene, like using write protect tabs and using a floppy-based system to fool with some RUNME.EXE they just downloaded, if they must try such things at all. Anyone who likes to try out new stuff, to be a pioneer, should know more, like how to install and use some virus detection software. Only a few people should have to learn the nitty, gritty details of how nasty programs accomplish their nefarious tasks, and how to write countering programs. THE REST OF US HAVE BETTER THINGS TO DO! Don't get me wrong. I'm fawningly grateful to you good guys on this list who have chosen (?) to get involved deeply in the struggle. But the computer work of the world is not going to slow down much because of viruses. Susceptible machines, networks, and personal habits will gradually be replaced by safer ones, as a direct result of temporarily "successful" attacks on our software integrity. The average computer user can almost go right on doing what she's doing now. > The field >of computing is growing at an incredible rate and in this growth, nowhere do >we see a system completely foolproof. Why not? Because the system designers >didnt know about the various kinds of computer diseases. Now that they know, I still don't see any completely foolproof systems. > The CIS students >of today will be tommorows programmers, educating them now about how virii >work, detection schemes, security controls and pitfalls, will in the long >run make virus writing something undertaken only by a few experts, instead >of the situation we have now where combatting viruses is undertaken by only >a few experts and every joe hacker on the street can create a virus for >the expert virus hunters to track down. Let's not confuse the average user with either CIS students or system designers. CIS students should learn what you say they should learn, yes, but not more than that. They should also know that it is relatively easy to write a virus, that it is a rotten, unethical thing to do, that it can get you ten years in jail and a ruined financial life, that most viruses can be detected and traced back to their origins if some Sherlock gets on the trail in time. Those who like the idea of being Sherlocks can be encouraged to learn more if they want. Most of us think it more fun and challenge to be on this side of the contest, anyway. Average users should hardly have to learn or do anything but run the one to three applications they want to use. They have work to do. Most of them have a friend who knows about systems and software, whom they trust to let them know when something useful comes along. This is the way things are, and should be. Those of you closely involved with this list--I love you, but don't overstate the need for everyone to join in your enthusiasm. Virus etc. outbreaks have not affected the average user yet, and may not ever. (Thanks to you!) --Chris Haller ========================================================================= Date: Mon, 8 Aug 88 17:56:00 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: John Stewart <JSTEWART@SFAUSTIN> Subject: re: Campus Virus Letter I recently posted a message to the list in reply to Len Levine's paper on Viruses. In it I attempted to define a virus. I received several replies, but then we had a problem at our site causing all our incoming Network mail to be refused, and outgoing mail to be deleted. If anyone attempted to contact me during the period of 08/04/88 and 08/08/88 your mail was lost. I would appreciate any re-transmittal of any replies. Thanks for your understanding! +-------------------------------------------------------------------+ : John Stewart <jstewart@sfaustin.bitnet> : : Technical/Academic Support Programmer Office (409) 568-1020 : : Stephen F. Austin State University Modem (409) 568-1334 : : Nacogdoches, Tx 75962 : +-------------------------------------------------------------------+ ========================================================================= Date: Mon, 8 Aug 88 18:27:18 PLT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Andrew Vaught <29284843@WSUVM1> Subject: Hiding viruses The solution is simple. Just print data from another sector, or, possibly a small random-number generator. Binary files look all the same.... Does anyone seriously believe that a virus writer is going to bother with such an esoteric scheme to hide their code? We haven't seen any so far. The reason is that your joe blow computer user just doesn't look at his boot sectors very often, and the only reason anyone else would is if strange things started happening. Viruses have to be small to avoid being obvious. If COMMAND.COM suddenly grows by 30k due to all of the CRC foolers and other wild schemes, even joe blow may notice it. On another tack, anyone have any ideas on the possible future of viruses? The other I got ahold of a book called ``Advanced 80386 Programming'' (sorry, author's name is gone). At very least, Intel has designed one heck of a complicated microprocessor. Since the beast is designed specifically for multi-tasking, there are all kinds of wierd things like ``call-gates'' that allow use of privileged subroutines by low-privilege processes, without giving privileges. I suppose a virus could still call the dos's ``FORMAT HARD DISK'' command, but it seems kind of stupid to provide such an easily accessible command in the first place. Andy Vaught <29284843%WSUVM1.bitnet@cunyvm.cuny.edu> ``I'm on the case, can't be fooled, any objection is overruled.'' ========================================================================= Date: Tue, 9 Aug 88 01:48:49 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Gerbil / Virus Course Well, I was away from my computer for all of two days (my wife is trying to make me cut down) and 200 messages built up on various systems. Thank you for all your responses on the conference, and please keep them coming. First, the Gerbil virus. These viruses have been the source of a lot of confusion over the past few months. I believe someone stated a while back on this list something about an MS-DOS virus that prints little feet across the bottom of the screen and a message that goes along with it. I have not seen hide nor foot of this virus. A friend out at the University of California, however, was able to send me a similar program which they found on someone ELSE's computer system. Its a set of two programs that runs on Vax systems running the VMS operating system. The version I saw was appended at the end of the system login file, so anyone logging in ran the program, unknown to them. This program would count the number of commands a user would type in and after 35 of them (and every multiple thereafter), would call a second program (also written in the DCL command language) that would print very crude "feet" across the bottom of the screen in five lines. They would use a variety of greater than, less than signs and / \ marks. No message was printed. Whether or not this program had a third program which would copy itself into the system login file is unknown to me. I doubt it. It was most likely a prank by someone at that company. But this was the closest thing I could find to the elusive gerbil virus talked about on this system. What I DID find however, was a cute PC "virus" or "bacterium" as I'm told they now call them, that when ran would print a picture of Jerry Pentacoli (I have no idea how to spell that) and a Gerbil jumping from an end-table into him. It then looked for (as do most of these picture viruses) any other disks on the system (including a hard disk C:, D: and so on) and copied itself to them. I would suspect that all of these picture viruses are written by the same person or group of people. They are interesting, but not damaging. Les, Chris, as for a course on viruses, I think that is a bit too specialized for undergraduates, but I would like to see a course given on computer security measures and theories. I don't know whether or not it should be mandatory, because judging by some college's requirements for a BS in computer science, many wouldn't know what computer security WAS much less how to implement protection schemes. Unfortunately, "Computer Security" covers a very broad range of ideas. And perusing the books in our library pertaining to computer security, each has an entirely different subject in them. I'd like to see courses provided to computer science students that overview some of the needs for computer security, including banks, government agencies, the need for secrecy and so on, what computer system administrators need to know, and possibly some protection schemes, how banks are protected, future developements in the field of limited transitivity and limited usefulness, and touching on the problems viruses pose as an advanced way around most protection schemes and how we might slow down or stop their spread. Actually, I think it would be a challenging course to teach... one I wouldn't mind teaching at all. Loren Keim ========================================================================= Date: Tue, 9 Aug 88 08:23:32 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Forwarded comments on virus education from J.D. Abolins Forwarded from J.D. Abolins: Re: Should computerists be told about computer viruses? I believe the they should be told ENOUGH so they know that hazards exist and that they know what to do to minimize risks. Tell them that there are problem programs out in the world. Tell them about the need for accountability of programs, the need for good backup procedures, and how to recognize a damaged system. This type of instruction shouldn't be viewed as VIRUS PREVENTION, rather it should be given as holistic review of good computing practices. After all, it is not just viruses that cause problems (although their replication makes them particularly troublesome); there are Trojan Horses and genral bug-ridden programs. So many of the practices to protect a system from viruses overlap with preventatives for other problems. One of the big dangers in not mentioning viruses at all is that the "innocent" computerist will face getting hurt without even knowing tht the danger exists. One of the big pitfalls they should know about, after being told simply that replicating malicous code- viruses- do exist, is that programs they have considered to be safe, such as commercial software they have bought, can become an agent of damage if they are not careful in their use of the program. "Borrow-ware", the practice of borrowing and lending out "known to be reliable" programs, can catch the unwary. The copy of QDOS bought by a computerist starts out being safe. But the computerist uses it on different machines and over the useage, the copy of QDOS gets a virus code replicated into it. If the computerist is not even aware of viruses, he/she will have no idea that their "trusted program, bought with their own money" can be the carrier of trouble. Tell them, yes. Tell them just enough to know it is rough world out there and tell them how to minimize their risks. Beyond that, the average computerist need not hear how to make a viruse, their modes of attack, etc. As for the debate about Fred Cohen's mention of viruses causing the virus case at Lehigh, I agree with Ken that the issue is moot. (Anyway, it would have probably someplace just as well without any course on viruses. After all others have mentioned the concept and if Fred Cohen could conceive of the possibility, so can many other people. But enough said.) J.D. Abolins If this message made it OK to VIRUS-L, then TRANSMIT with the SEQ option worked. In that case, Sylvia, you were right. Thank you. Kenneth R. van Wyk Overheard in a Thai restaurant: User Services Senior Consultant Lehigh University Computing Center "I don't know what you're having, Internet: <luken@Spot.CC.Lehigh.EDU> but my nose is running!" BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Tue, 9 Aug 88 08:30:43 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Chris McDonald STEWS-SD 678-2814 <cmcdonal@WSMR10.ARPA> Subject: Re: "2600" Quarterly, Summer, 1988 In-Reply-To: Your message of Mon, 1 Aug 88 22:45:00 MDT You may address subscription correspondence to: 2600 Subscription Dept PO Box 752 Middle Island, NY 11953-0099 Yearly Subscription: $15 individual $40 corporate I subscribe to the quarterly--am not on their payroll. Chris McDonald White Sands Missile Range ========================================================================= Date: Tue, 9 Aug 88 09:14:54 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Claudia Lynch <AS04@UNTVM1> Subject: Re: Gerbil / Virus Course In-Reply-To: Message of Tue, 9 Aug 88 01:48:49 EDT from <LKK0@LEHIGH> Who is Jerry Penticoli? ========================================================================= Date: Tue, 9 Aug 88 14:57:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Gerbil / Virus Course In-Reply-To: Message of Tue, 9 Aug 88 09:14:54 CST from <AS04@UNTVM1> >Who is Jerry Penticoli? He's a local (Philly) tv newscaster who is *alleged* to have a somewhat, er, non-humane association with gerbils. But, please *PLEASE*, lets not get into a discussion of this here! The only possible viruses stemming from any such alleged acts are certainly not computer related... Ken Kenneth R. van Wyk Overheard in a Thai restaurant: User Services Senior Consultant Lehigh University Computing Center "I don't know what you're having, Internet: <luken@Spot.CC.Lehigh.EDU> but my nose is running!" BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Tue, 9 Aug 88 14:08:00 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ed Sakabu <CSMSETS@UCLAMVS> Subject: Re: Re: "2600" Quarterly, Summer, 1988 If you are subscribing for work (i.e. you're a security officer) you may want to subscribe in the name of the company (2600 claims that they will NOT EVER release the names of companies that subscribe). If you subscribe using your own name there is a possibility that you may get on some lists that you don't want to be on (this is PURE SPECULATION and is based on my own paranoia, but being on such a list (i.e. "cracker list") may not be very good if you are a security consultant and are looking for work, the FBI has been known to keep such lists before and I don't think there gona stop now.) --Ed > You may address subscription correspondence to: > > 2600 Subscription Dept > PO Box 752 > Middle Island, NY 11953-0099 > > Yearly Subscription: $15 individual > $40 corporate > > I subscribe to the quarterly--am not on their payroll. > > Chris McDonald > White Sands Missile Range ========================================================================= Date: Tue, 9 Aug 88 23:18:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: LYPOWY@UNCAMULT Subject: Re: Re: "2600" Quarterly, Summer, 1988 In-Reply-To: Message of 9 Aug 88 15:08 MDT from "Ed Sakabu" Is 2600 magazine anything like the TAP issues of Old?? Greg. ========================================================================= Date: Wed, 10 Aug 88 09:20:00 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ed Sakabu <CSMSETS@UCLAMVS> Subject: Re: Re: Re: "2600" Quarterly, Summer, 1988 I think (correct me but please don't flame me if I'm wrong) TAP went under (financially that is) and some of the staff brought it back as 2600. --Ed > Is 2600 magazine anything like the TAP issues of Old?? > > Greg. ========================================================================= Date: Wed, 10 Aug 88 14:03:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: "Computers and Security," Virus Supplement The current issue (April?) Volume 7, number 2, of the subject journal has a special supplement on computer viruses. It may be of interest to the readers of this forum. regards, Bill ========================================================================= Date: Wed, 10 Aug 88 18:49:58 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Trapping Disk Calls In-Reply-To: Message from "Art Larky" of Aug 2, 88 at 3:28 pm > >You won't catch my virus by watching for DOS calls, because I won't use >them. >... > Command.com is a great place to hide a virus, not only because it has >room for it, but also because it gets executed immediately after your >autoexec, so your chances of catching the virus depend upon what you do >in autoexec. Also, everyone has command.com and everyone uses it all >the time, so it has lots of chances of spreading an infection. Just a slight correction, command.com is executed *before* autoexec.bat + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 10 Aug 88 19:00:27 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Virii and Screen Output In-Reply-To: Message from "Amanda B Rosen" of Aug 8, 88 at 12:59 (midnight) > >David Slonosky's idea of a virus concealing itself is quite interesting, but >there is a reason I don't think it could work. > >To really hide, the virus would have to remember the code it was overwriting. >Otherwise, finding a chunk of $00s or No-ops in the middle of your code would >be pretty suspicious (unless you're looking at COMMAND.COM :-) > ... >The point is, this virus rapidly grows so complex that it couldn't hide. The >original copy would be huge, and it would have a significant effect on the >system. > not so. There is lots of room, just declare a few disk blocks to be unavailable in the FAT, and use that space. Noone looks to see what happens to the bad block space, even of a floppy. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 10 Aug 88 23:29:00 -0500 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: converted from NETDATA format at UOFMCC From: Steve Morrison <b1morri@CCU.UMANITOBA.CA> Subject: Re: Trapping Disk Calls In-Reply-To: <428*b1morri@ccu.UManitoba.CA> Can you not adjust your CONFIG.SYS to hide almost anything within your RAM? Stevo ========================================================================= Date: Thu, 11 Aug 88 10:53:08 +0100 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Stefan Parmark <tmpspa@EUA4.ERICSSON.SE> Subject: Question about virus attacks I have been reading your discussions with great interest. However, I feel that very little has been said about viruses on VAX-11, Sun and other generally-not-owned-by-private-persons computers. I am writing a report on viruses here at Ellemtel in Sweden. I think it should contain something about the viruses having hit a little larger machines. My report will mostly contain a summation of what has been said about viruses on this and other lists. It will not concentrate on PC viruses and specific PC solutions. Instead it will be about viruses and protections for the *general* micro/mini computer. Of special interest here is the Unix environment, which is used in an increasing number of mini computers today. I would like to know about viruses, which have struck company computers. I will respect that you don't want the name of your company to leak out if you have been hit, but I would like to know what happened. Just tell me it was some other company you can't recall the name of. I don't mind. If you still aren't sure if you dare trust me with virus information, I can let my superiors contact you. I would also like to know what software there is to protect against viruses. So far I have only run across TCELL. Has anyone had any experience with this? When finished, I will make my report available to Kenneth R. van Wyk, so you all can download it. Please e-mail all answers. I appreciate all the help I can get. Stefan Parmark tmpspa@eua4.ericsson.se Ellemtel Sweden ========================================================================= Date: Thu, 11 Aug 88 15:17:45 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Mainframe Viruses Stephan, We've been doing detailed work on mainframe viruses for some time. Most of the original work on viruses done by Fred Cohen, etc was done on a variety of Unix machines and Vax's if I remember correctly. There have been a few virus attacks on mainframes. One in particular, a banking institution in northern New Jersey was hit only 5 or 6 weeks ago. Their name cannot be released however. The problem with most corporate attacks and mainframe attacks is that they are sworen to secrecy. IBM being hit by the Christmas Tree virus was one publicized virus. Most mainframe security systems are worthless against viruses I am VERY sorry to say. Again, not to plug myself, but Lehigh Valley Innovative Technologies' Innoculator package is available for VM/CMS, VMS, Unix boxes (most including Sun's). And I believe there is another such package out there, but I'l have to check on the name again. It is very hard to attempt to stop virus attacks on mainframes, but we're working on various ways of stopping them. Loren Keim LKK0@LEHIGH ========================================================================= Date: Thu, 11 Aug 88 16:05:32 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David M. Chess" <CHESS@YKTVMV> Subject: Mainframe Viruses and whatnot I hate to be such a nitpicker, but CHRISTMA wasn't really a virus in the usual sense, since it didn't insert itself into any executable files, but just sent itself (CHRISTMA EXEC) around the net. I think the distinction is rather important, since it's Real Easy to write a filter that just zaps anything of the right size called CHRISTMA EXEC, whereas it's typically much harder to deal with a real, spreading, arbitrary-program- altering, virusy virus. (A word that seems to fit CHRISTMA well is "bacterium".) (The hacked FLUSHOT wasn't really a virus, either, as far as I know; it was just a Trojan Horse that did bad things to your system when you ran it. It didn't spread itself. I'd hate to see "virus" come to mean "something that does something bad to something". Let's reserve it for, as Fred Cohen said, "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself".) Back to the subject: I think it'd be interesting if Loren (or anyone else) could tell us some of the things that make virus-fighting on mainframes harder than on micros (if I'm reading Loren's item aright). Anything you can tell us without exposing anyone's dirty laundry? DC ========================================================================= Date: Thu, 11 Aug 88 16:59:23 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Mainframe problems Well Dave, The easiest thing for me to say is "The more complex the machine, the harder it is to protect", but its more than that. A micro, all by itself is easier to protect than a network or than a lot of computers in one room used by many people, and so on. One of the problems with mainframes is the number of users, and the possibility of very remote computer sites accessing the system. Let say, for example, that those using our example mainframe M get onto the system by way of microcomputers. Lets say someone "has it in" for this company as well. It is possible for someone to write a program which attacks your companies modem program and gets itself to the mainframe through it. Because there is a large number of users of M, this virus-modem program can spread from user to user and affect each part of the mainframe, not just the parts a particular user has access to. We have demonstrated this possible problem with Unix computers in the past, having the virus "pick-up" privilages until it was able to attack the entire machine. This is a dangerous problem, and one we cannot take lightly. If a virus "blows up" on a mainframe, realize that we have the possibility of losing data from many users, not just a single disk as is the case with a single micro. The problem, also, is that we cannot just CRC the entire machine. People may be developing, someone is always changing around files, and there are many places for viruses to hide on the system. We have to find a way to stop viruses from spreading on these machines without limiting the machine to those programs "okay'd" by the administrator of M. We have looked at DER one-way-encryption protection of libraries of machines, or creating a shell around the mainframe to "write protect" files, or protecting certain programs and not others, or even limited transitivity of the machine... breaking it down into blocks that users can access certain things but not everyone can get things from everyone else. Its a difficult problem. We don't have the ease of making sure DOS checking all writes before they write and watching for direct writing. With each mainframe, we must check carefully what is changing and whether or not the user wants it to change. Loren ========================================================================= Date: Thu, 11 Aug 88 17:40:43 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Mainframe Woe's continues One other thing that some collegues of mine just mentioned to me: It may be true that it is harder to write a mainframe anti viral package than a micro av package, BUT its also generally harder to write a virus for that system. Our job isn't to create a virus-proof system, I don't believe one exists... but what we can do is make the environment harder and harder to attack, make the virus writer really work to write a good virus, and make the number of people who can write a virus to go oaround our systems so small that no one does it. Loren ========================================================================= Date: Thu, 11 Aug 88 20:52:25 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Sieczkowski <joes@SCARECROW.CSEE.LEHIGH.EDU> Subject: Mainframe I wouldn't consider mainframes "harder" to protect than PC's just "different". A mainframe gives you a lot of advantages that you don't have on a PC. On the other hand, there is greater sharing of resources on mainframes which makes viral spread more dangerous. First of all, a mainframe (or mini for that matter) has a secure Operating System. You cannot address REAL memory and you cannot access the I/O ports directly like on a PC. Moreover, a virus has no more priveledge over the OS than the invocing user. Granted a virus can climb the ladder, but it must do so through ordinary means; ie it can't immediately write itself to the disk, or to the command processor until it has priveledge to do so. So a mainframe virus must link itself to an ordinary executable to be able to get itself into memory, replicate to other executables, and test to see if it has enough priveledge to accomplish its pre-determined task. Of course, depending on the OS, a mainframe virus might be able to modify a users local command processor so as to stay totally active during the entire session (or even after the user logs out). But the virus only has the priveledge of the user. Let's go over a quick example of how a virus might climb the ladder. Suppose there are several users on a mainframe: Prof Smith, John, Mary, Jim, System, and The_Rest. Let's say that John, Mary and Jim are in the professor's programming class and that Prof Smith has priveledge over their accounts. The user System has priveledge over all accounts. John decides to upload this great game to the system (it happens to contain a virus). He executes it and all his files are subject to infection. Mary executes the program too and all her files become subject to infection. The Professor decides to check on Mary's work, so he executes one of her programming assignments. Well, this assignment was infected so not only does the Prof. files become subject to infection but Jim's files become infected as well. Finally, the professor just finished a software package. He tells System that it's ready to be installed. System puts it in with the other system files and executes it to make sure it was installed properly. Now The_Rest of the system is subject to infection and the virus has system priveledge. It can do anything it wants! There are ways to use mainframes security features to their maximum advantage to try to prevent the above senario. You could isolate the system from the outside world; however, this is inadvisable since an ordinary user could write the virus anyway. You could isolate the users from one another but this probably wouldn't be advisable especially considering users often need to work together to complete a project. The best method is probably to look for footprints that indicate a possible virus about the system. In a program I wrote a short time ago to protect a UNIX OS I did the following: * Set up a CRC table of system programs (ie those owned by root, bin and uucp) The CRC table can only be modified by root and re-asks for his password during any modification. * sh (the command processor) was modifyied to check the CRC table for system files being executed. If it changed it didn't execute. As a matter of fact it was quarentined and mail was automatically sent to root about it. * A daemon was run in backround to periodically check system files for change. If changed they were quarintined ...especially if the "set-uid" bit was on. This method left users with total freedom while it protected system stuff. There were other smaller features as well and various other optional checks. Joes joes@scarecrow.csee.lehigh.edu ========================================================================= Date: Thu, 11 Aug 88 19:23:00 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: SUE@UWAV1.ACS.WASHINGTON.EDU Subject: QUESTION ABOUT MAINFRAME, VMS VIRUS WHERE CAN I GET <TECHNICAL> DETAILS ABOUT MAINFRAME (VMS) VIRUSES?? HOW THEY WORK, PROPAGATE, ETC.? SUE@UWAV1.ACS.WASHINGTON.EDU SUE@TOBY.ACS.WASHINGTON.EDU ========================================================================= Date: Thu, 11 Aug 88 20:32:05 pst Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bill Meyer -- x36039 <wm%alvin.llnl.gov@LLL-LCC.LLNL.GOV> SIGNOFF VIRUS-L ========================================================================= Date: Fri, 12 Aug 88 09:00:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Joseph M. Beckman" <Beckman@DOCKMASTER.ARPA> Subject: Re: Mainframe Viruses and whatnot In-Reply-To: Message of 11 Aug 88 16:05 EDT from "David M. Chess" > Christma wasn't really a virus in the usual sense, since it didn't >insert itself into any executable files, ... a real, spreading, >arbitrary-program altering, virusy virus. I suppose the "Lehigh virus" wasn't a virus then, since it didn't insert itself into "arbitrary programs"? Of course, we will also have to excuse the "Brain virus" since it propagated to the boot sector, not an arbitrary program. > ...it's Real Easy to write a filter that just zaps anything of the >right size called CHRISTMA EXEC... Sure! And I can write a filter that zaps Command.Com & zeros out the boot block too! That'll stop those beasties! > Let's reserve it for ... a program that can 'infect' other programs >by modifying them to include a possibly evolved copy of itself. Closer. The question is, what distinguishes an ordinary Trojan Horse from the virus variant? The answer is, the virus has a more-automated distribution mechanism. If I infect WORD PERFECT or WORDSTAR (trademarks of some company) with an ordinary Trojan Horse, it will end up in zillions of places. The distribution, though is at human speeds. Someone has to learn about the package order it, have it shipped, etc. (In the government it is 'bureaucratic speed', an oxymoron). A virus speeds that distribution up by propagating itself electronically. Focusing on "programs" is a little misleading; the distinction between "data" and "programs" in the general sense is very difficult to make cleanly. For instance, the CHRISTMA EXEC existed within each user's VM space. Now VM is just another program, so since the virus existed within it, it had "infected" that user's VM "program." Joseph ========================================================================= Date: Fri, 12 Aug 88 13:07:43 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: What's the latest on the conference thing Hey folks. This list has been pretty quiet lately. What's new? - Jeff Ogata ========================================================================= Date: Fri, 12 Aug 88 16:42:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Notes We have MANY replies in on the virus conference. Right now, we are trying to set upa conference for October 21-23. We are trying to contact possible speakers, and making certain we can get rooms. We will have most of the major details worked ou by the end of the weekend. I'll write about it then. Thank you for all the respones! Loren ========================================================================= Date: Thu, 11 Aug 88 23:53:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: LYPOWY@UNCAMULT Subject: Re: QUESTION ABOUT MAINFRAME, VMS VIRUS In-Reply-To: Message of 11 Aug 88 20:23 MDT from "SUE at UWAV1.ACS.WASHINGTON.E One of the professors in our faculty here at the U of C wrote a paper oriented more toward mainframes than micros. Here is the biblio for it: Witten, Ian H., Computer (In)security: Infiltrating Open Systems, Abacus (Magazine) Vol. 4, No. 4, (Summer 1987) If you have any questions for Dr. Witten I may be able to pass them on to him, r even give you his E-Mail address. The article covers what a virus cna do, and in fact gives you an idea of how to write one. Greg Lypowy ========================================================================= Date: Sat, 13 Aug 88 09:29:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bernie <BSWIESER@UNCAMULT> Subject: History Being a new user to this service, I am not too sure yet what has/has not been discussed. Please forgive any repetition. I recently got into a discussion about the origins of trojan horses and viruses. I believe that it was the industry itself which propagated the idea of time bombs and such so as to protect shareware and non copyprotected software. Being a hacker, I don't believe hackers in general are innately evil. My colleague believes that it is the mischievous hacker trying to get at his enemies which propagated this 'wave' of problems. Does anyone know anything in depth about the history of such stuff? The main point is who is to blame! :) BSW ========================================================================= Date: Sat, 13 Aug 88 09:29:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bernie <BSWIESER@UNCAMULT> Subject: History Being a new user to this service, I am not too sure yet what has/has not been discussed. Please forgive any repetition. I recently got into a discussion about the origins of trojan horses and viruses. I believe that it was the industry itself which propagated the idea of time bombs and such so as to protect shareware and non copyprotected software. Being a hacker, I don't believe hackers in general are innately evil. My colleague believes that it is the mischievous hacker trying to get at his enemies which propagated this 'wave' of problems. Does anyone know anything in depth about the history of such stuff? The main point is who is to blame! :) BSW ========================================================================= Date: Sat, 13 Aug 88 16:18:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: PK36 and PK361 Here is an interesting set of documents that I found concerning the validity of Phil Katz's archive makers and extractors. The first document concerns the court case between SEA and PK: ------------------------------------------------------------------------ FOR RELEASE ON AUGUST 1, 1988 From: System Enhancement Associates, Inc. (SEA) and PKWARE, Inc. and Phillip W. Katz (PK) August 1, 1988 - Milwaukee, WI In the first known "Shareware" litigation, pending in the local United States District Court, the parties System En- hancement Associates, Inc. (Plaintiff - SEA) and PKWARE, Inc. / Phillip W. Katz (Defendants - PK), after reaching agreement, consented to the entry of the attached Judgment for Plaintiff on Consent. That Judgment was entered by Judge Myron L. Gordon, effective on August 1, 1988. Part of the agreement reached by the parties included a Confidential Cross-License Agreement under which SEA licensed PK for all the ARC compatible programs published by PK during the period beginning with the first release of PKXARC in late 1985 through July 31, 1988 in return for the payment of an agreed upon sum which was not disclosed. Additionally, PK was licensed, for an agreed upon royalty payment, to distribute its existing versions of PK's ARC compatible programs until January 31, 1989, after which PK is not licensed and agreed not to pub- lish or distribute any ARC compatible programs or utilities that process ARC compatible files. In exchange, PK licensed SEA to use its source code for PK's ARC compatible programs. PK agreed to cease any use of SEA's trademark "ARC" and to change the names or marks used with PK's programs to non-confusing designations. The Judgment provided for the standard copyright, trademark and unfair competition injunctive relief for SEA a- gainst PK, as well as damages and litigation expenses to be paid by PK to SEA. Both parties agreed to refrain from any comment concerning the settlement of the disputes, other than the text of this press release. Also, the parties instructed all of their representatives to refrain from any such activity. Any other details of the Cross-License Agreement were agreed to be maintained in confidence and under seal of the Court. In reaching the agreement to dispose of the pending litigation and to settle the disputes that are covered thereby, PK did not admit any fault or wrongdoing. ------------------------------------------------------------------------ The next document is a few memos downloaded from a BBS and deals with problems in PK36: ------------------------------------------------------------------------ ******************* ALERT! WARNING! ALERT ****************************** Downloaded from ACOM I BBS -- HOUSTON, TX 7-14-88 LATEST IMPORTANT NEWS...!!! ---------------------------------- . - Msg # 2339 Dated 07-08-88 01:07:49 Security: 0 - From: PAT FORBES - To: ALL - Re: WARNING !!! PKARC V3.6 Last read at 18:59:36 on 07/08/88 - - WARNING !!! There is something fishy going on with PKARC Version 3.6. - It is doing some weird things in memory that it should not be... - BBS-Chess also plays in memory... vectors... interupts... etc and it - will flat abort if it sees something weird... it does whenever PKARC - version 3.6 is run. Previous versions of PKARC are ok... its just 3.6 - that goes places in memory it should not be... - - We are calling the authors on 7-8-88 to confirm that there is such a - version. This may be more than just an "unarcer". It may be an honest - mistake... a bug... but be safe... not sorry!!! Remove it and use the - older version until we can get in touch with the author. - - This "messin in memory" was confirmed by a sysop in Georgia and another - in Southern California... both discovered the same thing. PKARC 3.6 is - Going places in memory... and leaving things in memory that it should not - be ... - -------------------------------------------------------- - Msg # 2344 Dated 07-08-88 16:41:09 Security: 0 - From: PAT FORBES - To: SARA JONES - Re: (R)THANKS Last read at 19:01:15 on 07/08/88 - - I talked to the author of PKARC today. It is confirmed... he is doing - some weird things in memory to.... "keep people from seeing his code". - He said he did not think it was necessary to put everything back to - normal when the code exited.... he now sees the err of his ways... - A lesson here.... mess with DOS all you want but.... put EVERYTHING back - to normal (the way it was) when you are done... - - Expect a new release very shortly but for the time.... DO NOT USE - version 3.6 unless you don't mind an occasional reboot or system lockup. - Use version 3.5 or less... - - ------------------------------------------------------------------------ Ok, and finally, this next session is some kind of warning chat that was also available: ------------------------------------------------------------------------ These are some interesting tidbits I discovered on GT-Net. Read 'em and form your own opinions.... Dave Williams 07/20/88 ############################################################################### #### first, some bulletins from Rick Kunz' NW Pacific GT-Net... ############################################################################### 7-15 Pulled PK3.6 and put a short version of the .COM files from PK 3.5 back up, temporarily, until bug fix is out. GT14.02 files will bw up in GENERAL file dir shortly; new install program also. 7-12 ===> The following was received from a fellow GT Sysop today; a word to the wise-- I did reinstall PK version 3.5 on both systems. --- --- --- --- I hope you have gotten the word by now, but in case you haven't there is A BIG PROBLEM with PKXARC/PKARC Ver. 3.6...has to do with the way Katz modifies vectors ( and then doesn't reset them)....it has caused me some real pain with BBSCHESS and some other programs.....just wanted you to know! ############################################################################### ##### and in CHAT mode with the sysop...... ############################################################################### @DDDDDDDDDDDDDDDDDDDDDDDY 3 GT NET/NODE 007/000 3 @DDDDDDDDDDCDDDDDDDDDDDDY @DDDDDDDDDDDDDDDDDDDDDY 59 Minutes left. Enter command (? for help): p ................ Dave Williams, Sorry if I broke in-- you're chatting with Rick Kunz! Yep...! Sorry to bother you..what's this about PK36? PK36 grabs some ints and doesn't let go of them. It's an attempt to foil hackers, to avoid another PKX35B35 debacle. The problem occurs as far as I know, only if you access PK36 from a shell, such as in viewarc utils, etc. It causes some real unpredictable results with those. No wonder!!!!! I run shelled out of Qmodem or PC-Write half the time, and I've been having some radical hard disk problems - CRC errors all over the place. I thought it was just the disk dying, but it started getting bad when I got PK36. Haven't lost anything, but it sure makes some torturous moises. Well, go back to 3.5, if you don't have it around, I put the .COM files in a little arc in the general directory. I think I have them laying around on an odd disk - I can get 'em locally if I need 'em. Sort of a surprise, finding problems in PKARC...... For sure! Phil has his share of problems lately, the 3.6 thing, I noticed it affecting serial communications on both machines as well as some frazzed disk stuff, and a couple days after reverting to 3.5, my highspeed xfers are back again. So if anyone gripes abouut file xfers, see if they've been using 3.6. Yeah. !?! OK, thanks a lot. I'll let ya go.... Sure-have a good one! ############################################################################### #### and finally, some dumps of the SOFTWARE echo on GT-Net ############################################################################### FILE SECTION: #1 - GENERAL - Miscellany, open access, ALLFILE.ARC Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 473. 7-08-88 19:59.01 From: Fred Horner To: Rusty Stone Subject: PK36.EXE I have unpacked and use pk36 with no trouble, however I have seen reports that it may have a problem with using int 3 and not releasing it when its through. Might want to stick with the 35 ver until we know for sure. .ORIGIN: 001/001 - THE PROGRAMMER'S WORKSHOP - SEND MAIL TO 001/003. Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 505. 7-13-88 23:09.18 From: Mike Schmieg To: Rusty Stone Subject: PK36.EXE Based on the latest report, just do away with PK36 files and return to 3.5. Wait until the 3.61 release comes out. I've already found problems with the board with 3.6. .ORIGIN: 006/006 - THE NOOK-CINCINNATI,OHIO (GEOFF MANDEVILLE, SYSOP) Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 511. 7-15-88 18:35.28 From: James Gaas To: Tony Locicero Subject: PK36.EXE Have you seen the recent "warnings" about using PK36? Seems it will cause lock ups. The current suggestion is to go back to PKX35A35 until the author releases PK36.1 .ORIGIN: 001/025 - J & J'S CASTLE - JAMES GAAS - HOUSTON << (713) 988-1922 >> Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 516. 7-16-88 8:39.43 From: John Dunham To: Mike Schmieg Subject: PK36.EXE I had problems with cross-linked clusters and damaged fat's. I started backing out programs from the lastest obtained. When I backed out PK36.EXE, the above disk problems stopped. I am now staying on 3.5 until a bug fix for 3.6 is released. .ORIGIN: 031/000 - THE LONG BEACH GT - LONG BEACH, CA - (213) 422-3986 Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 517. 7-17-88 13:32.29 From: Tony Locicero To: James Gaas Subject: PK36.EXE Have seen no problem on my system related to the PK36. Seems to affect only a few programs such as BBSCHESS as described by the author. Since I don't run this program and since EVERYTHING that I use seem to run well with it, I will continue to use it. It seems to run well on a wide variety of my machines on a wide variety of applications. Might be specific to that one application. .ORIGIN: 001/009 - THE BLACK ORCHID - HOUSTON, TX. - (713) 527-8719 Msg Base: #28 - SOFTWARE TECH; Chris Smith's GT Echo Msg No: 522. 7-17-88 6:36.22 From: Rusty Stone To: Fred Horner Subject: PK36.EXE Fred, Thanks for the warning. I will watch for more information on the Pk36 problem. Rusty .ORIGIN: 001/018 - SYSTEM ENVIRONMENT - SYSOP RUSTY STONE - 713/672-8318 ------------------------------------------------------------------------ I have heard many discussions on local BBS's as to whether or not PKXXX is real or a trojan/virus/whatever... But hopefully this will shed some more light on the situation with PK's software. Incidentally, I have a copy of PK361.EXE, and all the filenames have been changed from PK36.EXE (obviously due to the litigation with SEA). David A. Bader DAB3@LEHIGH ========================================================================= Date: Sat, 13 Aug 88 16:49:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: History In-Reply-To: Message of 13 Aug 88 11:29 EDT from Bernie >My colleague believes that it is the mischievous hacker trying to >get at his enemies which propagated this 'wave' of problems. Does anyone >know anything in depth about the history of such stuff? The main point is >who is to blame! I would argue that that is not the main point at all. This is not the six o'clock news, or even TV. There are no good guys or bad guys here. There is nothing to be gained by finger pointing. "We have seen the enemy and he is us." Viruses and Trojan Horses are simply special cases of lies. Under most circumstances, lying is considered bad form, even immoral. In the case of these programs, they are destructive of other peoples resources and of the community's trust. That seems adequate reason to condemn them and the behavior of their authors in perpetrating them. However, with the current spate of PC viruses, it seems reasonable to say that they belong in the category of mischief, rather than that of evil. While their authors could predict how they would behave in a given system, there is evidence to suggest that they did not know how, or even if, they would spread, or how destructive they might be. Indeed, it seems clear that these acts were not motivated by vengeance or even greed. Rather, they were motivated, to the extent that they were motivated at all, by idle curiousity. The essentially gratuitous nature of these acts is mitigated only by the fact that the perpetrators were also ignorant of how much damage they might do. Some have suggested intellectual curiousity as a motive. However, while it is possible to write a clever virus, one need not be clever to do so. Writing a destructive virus is not a demonstration of skill. Perhaps it was simply the novelty of the thing. Or it may be, that having assayed the power, the perpetrators were not sufficiently mature to resist the temptation to use it. And the rest of us, those of us with an interest in the honest labelling and orderly behavior of programs, what has motivated us? Clearly that has been some greed and fear peddling. There has been a certain amount of grudging admiration. Certainly there has been identification and sympathy, for we know that the biggest difference between them and us is that they coded theirs' and let them go. We have reacted from incredulity (What do you mean, it could take over my system?!), and from hubris ("I have a 100% defense against viruses!" (when what he really meant was he could protect your hard disk from updates). Mostly we have reacted from fear; not the rational fear of a destructive and mindless lie, but rather the fear that someone might try to keep the truth from us. Not the fear of the damage that could be done by a virus, but the fear that in dealing with them someone else might infringe some cherished privilege (What do you mean, I can't require my students to write a virus?!). We have reacted from almost every motive but enlightened self-interest. So you see, the point is not who is to blame. There is plenty of blame to go around. Please do not start pointing fingers. The issue is not where have we been, but where do we go. The novelty is gone forever. It is now clear how much damage can be done. It only remains to be seen whether or not we can resist the temptation of the power and bring ourselve to censure and sanction those who cannot. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sun, 14 Aug 88 11:42:11 P Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Hank Nussbacher <HANK@BARILVM> Subject: Re: VM mainframe viruses >From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> >Subject: Mainframe problems >Date: Thu, 11 Aug 88 16:59:23 EDT > >company as well. It is possible for someone to write a program which >attacks your companies modem program and gets itself to the mainframe >through it. Because there is a large number of users of M, this >virus-modem program can spread from user to user and affect each part of >the mainframe, not just the parts a particular user has access to. > >We have demonstrated this possible problem with Unix computers in >the past, having the virus "pick-up" privilages until it was able >to attack the entire machine. This is a dangerous problem, and one >we cannot take lightly. I think you should be more selective about your use of the word mainframe. Each operating system has its own "way" of working and one method of introducing a virus into a "mainframe" environment - will not be successful in another opertaing system. Your example of a virus-modem program might well work in Unix but it would have to work quite differently in VM. Viruses are basically introduced to a mainframe VM user - simply by their executing a program that has a virus. It is not passed by modem nor in any other method. >From: Joe Sieczkowski <joes@SCARECROW.CSEE.LEHIGH.EDU> >Date: Thu, 11 Aug 88 20:52:25 EDT > >Let's go over a quick example of how a virus might climb the ladder. >Suppose there are several users on a mainframe: Prof Smith, John, >Mary, Jim, System, and The_Rest. Let's say that John, Mary and Jim >are in the professor's programming class and that Prof Smith has >priveledge over their accounts. The user System has priveledge over >all accounts. John decides to upload this great game to the system >(it happens to contain a virus). He executes it and all his files >are subject to infection. Mary executes the program too and >all her files become subject to infection. The Professor >decides to check on Mary's work, so he executes one of her >programming assignments. Well, this assignment was infected >so not only does the Prof. files become subject to infection >but Jim's files become infected as well. Finally, the professor >just finished a software package. He tells System that it's >ready to be installed. System puts it in with the other system >files and executes it to make sure it was installed properly. >Now The_Rest of the system is subject to infection and the virus >has system priveledge. It can do anything it wants! Let us use Joe's example. Notice how we are under the assumption that each user will 'execute' the infected program. One major difference between VM and PC's is that in PCs all the files on disk are accessible by anyone using the PC. In VM, all files are not available - until someone allows you access to his or her files. Unix works in reverse - all files are accessible until you impose some sort of password on it. In VM - all files are not accessible until you impose a password on your individual files. In VM, there are systems disks which only systems people can write to. You are now implying that a systems account has become infected. How does that happen? By running some infected program. How does that infected program get to him? Either via his virtual rdr or via a link to a non-systems disk. Any systems programmer who does either of these is not a professional systems programmer who is responsible for the maintenance of a multi-million dollar computer and thousands of users. The two rules are: 1) Never execute any program that arrives in your virtual reader that you don't know anything about. You can receive it to disk - which will not infect you, but under no circumstance should you execute it. 2) Never link to a disk of a non-systems account. All the programs a systems programmer needs are on systems maintained disks and he/she should not go scavanaging for all sorts of "other" pgms (i.e. games, utilities) that reside on privately maintained minidisks. By doing so, he/she is compromising the operating system he was entrusted to maintain. I remember one systems programmer who violated that rule and a clever kid imbedded a nucleus extension in the systems programmer virtual machine that informed the kid when it was installed via a MSG, then proceeded to set MSG IUCV and SM IUCV and let the systems programmer continue working while all the while everything he was typing appeared on the console of the kid as well as the fact that the kid had set the nucleus extension to accept cmds via IUCV and be executed silently. Imagine the suprise of the systems programmer as one minute he browses PROFILE EXEC and the next instant the kid issues an ERASE PROFILE EXEC via IUCV and the systems programmer never sees it happening. NUCXMAP did not reveal anything, since the kid called his stub NAMEFIND which replaced the original NAMEFIND. Only tracing the virtual machine and finally finding that the NAMEFIND nucleus extension was larger than the one everyone else had made the systems programmer suspicious. But as soon as the systems programmer was close to debugging it - the kid issued a 'NUCXDROP NAMEFIND' and the virtual machine virus disappeared for good. Only by executing the trojan horse game/program would it reappear in the systems programmer virtual machine. The trojan horse program happened to be called RECEIVE MODULE and was located on a users private disk that the systems programmer had accessed ahead of the standard S-disk. Hank ========================================================================= Date: Sun, 14 Aug 88 14:51:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: VM Mainframe Infiltration Hank, I have to disagree with you. You say that a modem-mainframe virus would never work in a VM environment, but we have demonstrated such problems in the past. It depends on the program. Clarkson University makes a program which I'm using right now on a VM system to answer your mail. It allows easy access to VM systems from microcomputer networks. It redefines all sorts of key configurations and allows some interaction with VM files and programs. If properly edited, a program of this kind (this is theoretical, because I don't want to be blamed for such a virus if one comes down the pike) can help you log onto a system and look for standard Rexx files found in certain college systems. It can then append some text to the Rexx program. I don't know how easy it would be to append to an executable file. I have not done any work with that as of yet, but inserting a line or 20 of code into a Rexx program isn't that difficult, particularly if the modem program is set up to help you with editing features and so on. We had a problem here with that particular program a short time ago, in that someone wrote a bogus version which would write passwords to the system out onto a file on the public disks. Any network is in danger, any mainframe is in danger at this time. The difference is how hard a system is to infiltrate, and that is what we have been studying the last several months. As we learn exactly how a system may be infiltrated, we're basically plugging up the holes. Most of our anti-viral programs for mainframes are simply plugging up any holes we can find, and running checks to watch for propogation that isn't warrented. This is difficult to do, but until someone can figure out a design that is very hard to break, we have to do something. Actually, I quite enjoy trying to find a new way of keeping computers clean. Its much like a puzzle, and we have to put the pieces together correctly. Only time will tell... (now where have I heard that before?) Loren ========================================================================= Date: Sun, 14 Aug 88 15:01:41 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: VM Mainframe Problems Hank, I think you missed the point. You are under the assumption that someone has to execute a bacterium for it to propogate. In VM systems, at least in Rexx programs, a virus can be hidden. This could be one of your own programs, and I've written several Rexx programs, with a hidden line somewhere, or even an appended line that when you run it, it will propogate. You ask how systems accounts can become infected. What I was implying by the modem senario (and the modem situation is by no means the only way to propogate a virus), the program copies itself from floppy disk to floppy disk, and in public sites with user consultants on hand who have system account privilages, its possible for one of their floppies to become infected. When this happens, unknown to them, a virus can be transferred into a system program which people run. Then we're in big trouble. Or perhaps a user has a program in Fortran he's compiled on the system. A system person runs the program (as some do) and infects his own files. As far as I've seen in my research so far, VM systems are somewhat harder to propogate viruses on FOR ME. I am not that experienced yet with a VM system. I prefer Unix and VMS. Comments? Loren ========================================================================= Date: Sun, 14 Aug 88 15:06:23 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus Writers One problem with specifically saying how viruses are designed for different systems: Several people have commented to me that those who are responsible for present and possibly future viruses are right here on this list. I don't like telling people how to hard my machines. I like the idea of having a virus conference because when I discuss things with people I have a much better idea of who I'm talking to. Loren ========================================================================= Date: Mon, 15 Aug 88 11:07:32 SST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: Date: 8-15-88 11:06am Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet, Comments: {LKK0@lehigh}:bitnet Comments: cc: Jim Comments: Subj: re: MAINFRAME WOE'S CONTINUES From: Jim Crooks <ANYONE@ISS.NUS.AC.SG> Subject: re: MAINFRAME WOE'S CONTINUES >It may be true that it is harder to write a mainframe anti >viral package than a micro av package, BUT its also generally >harder to write a virus for that system. don't agree see comments below >Our job isn't to create a virus-proof system, I don't believe >one exists... but what we can do is make the environment >harder and harder to attack, make the virus writer really >work to write a good virus, and make the number of people >who can write a virus to go oaround our systems so small >that no one does it. agree >Loren I think that one has to keep in mind the *KEY* difference between a micro environment (DOS, OS/2, etc.) and a mainframe (MVS, CMS, VMS, UNIX, etc.) is that the mainframe OS is immune to direct attack (OS kernel is protected, OS files are protected, user files are not). Viral attack requires modification of executables (per the definition of a virus). If *ONLY* authorized programs (linkers) running from protected (read-only) filespace can write or modify an executable, then the low-grade user vector for the virus is stopped cold. The only path to infection is a super-user running an infected program; an authorized virus can nullify protection of executable files... A much smaller and harder window for a virus to get through. The only other loop-holes to plug would be file rename (to executable name), file copy/restore - the same protection criteria could be applied to file system utilities as you require of Linkers (authorized, protected filespace). It would only take small mods to existing mainframe security systems implement the above protection systems. The same hooks and exits used by the security systems can be used by a anti- virus developer to protect just executables if a site doesn't want to pay for a complete security system (cost in $$$ and overheads). Since the mainframe OS is better protected, other loop-holes are harder to find for the virus-writer. And once protected, the mainframe will tend to stay safe. I *REALLY* think that mainframe protection development is trivial compared to trying to protect a micro; when you stopper up the many guage 0 holes, there are thousands of size 00, millions of 000... For the PC just a couple of non-trivial changes could make the environment much easier to protect: - external switch to protect boot partition on HD (IBM, clone-makers, disk sub-system people are you listening?) - all executable files encrypted on disk (with DES or even a simpler algorithm), file decrypted by loader, key specified by user at boot through keyboard or ???. Encrypt by linker or conversion utility (after power off restart!) James W. Crooks Member, Advanced Technology Application Staff Telephone: (65) 772-2009 FAX: (65) 778-2571 BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Envoy(Telemail): jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 ========================================================================= Date: Mon, 15 Aug 88 03:22:01 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: Hiding large camouflaged viruses ========================================================================= Date: Mon, 15 Aug 88 08:03:33 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: VM Mainframe Infiltration In-Reply-To: Message of Sun, 14 Aug 88 14:51:21 EDT from <LKK0@LEHIGH> >It depends on the program. Clarkson University makes a program >which I'm using right now on a VM system to answer your >mail. It allows easy access to VM systems from microcomputer >networks. It redefines all sorts of key configurations and >allows some interaction with VM files and programs. Excuse me Loren, but you're on a MUSIC/SP system, not a VM system. MUSIC/SP runs as a disconnected virtual machine under VM/CMS, and its disk structure bears very little resemblence (sp?) to VM/CMS. Also, the terminal program, PCWS, was written by McGill University, not Clarkson. Ken Kenneth R. van Wyk User Services Senior Consultant Hobbes: What fun is being "cool" Lehigh University Computing Center if you can't wear a Internet: <luken@Spot.CC.Lehigh.EDU> sombrero?! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Mon, 15 Aug 88 10:09:05 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: VM Modem Protocal Ken, I really wish you wouldn't make statements like "You are not using this or that program" unless you really know what I'm using. I am not discussing PCWS from McGill. I was playing with another program to emulate 3270's terminals on another machine. Actually though, I do want to correct one thing. I don't believe the program I'm using is sanctioned by Clarkson, looking at it, it may just be written by someone there. Loren ========================================================================= Date: Mon, 15 Aug 88 12:11:37 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: The Conference... Okay, We're ready to tell you about the computer virus conference coming up! THE COMPUTER VIRUS AND SYSTEM SECURITY CONFERENCE We will be holding the first Computer Virus and System Security Conference at Lehigh University in the Lehigh Valley, Pa. (Bethlehem, Allentown area) on October 21, 22 and 23 (a Friday, Saturday, and Sunday). Because specific rooms are still under discussion, we cannot give you a precise schedule of events. The cost will be $50.00. This includes entrance to the conference and all discussions. Preliminary Schedule: -------------------- The following is a VERY tentative schedule. It will be altered as we get nearer to the conference date. We are juggling large rooms, including a very large hall for round table discussions and several large auditoriums. We'll have a better idea of exactly how the conference will be set up within two weeks. We'll need more information on exactly how many people will be attending the conferences and an exact list of speakers. We have several people who have tentatively said yes to speaking at the conference and we'll be contacting others over the next week. We expect additions to this schedule, and will post them as we get them. We already have a good group of people working on the conference, so it should go over quite well. I'd also like to thank Craig Pepmiller for his suggestions. Fri, Oct. 21: 1:00 PM - 2:30 PM What is a Virus? A seminar, including demos of several viruses on various systems. These will be WELL contained. 2:45 PM - 3:15 PM Introductions (Guests can introduce themselves to each other in a lounge area). Coffee, Donuts and Coke will be served. 3:30 PM - 4:45 PM Viral Detection Methods (Seminar) 5:30 PM - 6:30 PM Dinner (Restraunt locations will be provided and groups can break up to discuss topics). Sat, Oct. 22: 10:00 AM - 11:00 AM Computer Security Concerns I (We will go over protection schemes for schools and businesses and review simple, inexpensive ways of keeping your LAN's clean.) 11:00 AM - 12:00 PM Computer Security Concerns II System Integrity, Limited Transitivity will be main emphasis at this time. (Government security systems, banking systems, and early and future forms of virus stopping designs). 12:00 PM - 1:00 PM Lunch 1:15 PM - 1:45 PM Worm Demonstration 2:00 PM - 4:30 PM Discussions. We will hopefully be set up in a large area. We will have electricity to do demonstrations and people can show each other virus and anti- virus programs. Hands-On. 2:00 PM - 4:30 PM While the discussions are going on and people are trading software, we will have speakers discussing their own experiences with viruses. One seminar will teach the game, Corewars on the MacIntosh. 5:30 PM - 6:30 PM Dinner break 7:00 PM - 9:00 PM Another Seminar, we haven't decided on the topic. Sun, Oct. 23: 10:00 AM - 2:00 PM Round table discussions in a large hall. People can come and go as they like. Coffee, Cookies and Coke will be served. At several conferences and at the round table discussions, we will make various articles on viruses and security concerns available. We are expecting to add seminars. If you have any suggestions on exactly what you'd like to hear about, please let me know by writing to LKK0 at LEHIGH.Bitnet. Price Tag: --------- This is a non-profit conference. The $50.00 will be used to rent conference rooms, to print a magazine for the conference, for coffee, donuts and snacks at the conference, and to pay for speakers to fly in. I still feel we may come up short, so we are allowing on Saturday, vendors to set up their equipment or anti-viral packages. This is not a show to sell products, but vendors may demonstrate their products. For a table at the show, we are asking for $400.00 from each vendor. For a full page ad in the magazine we will be printing, we will be asking for $400.00. For a half page ad, $250.00, and for a quarter page ad, $145.00. Color ads will cost more, please call me at (215) 865-4253 for color ads. Please send a check for the conference to: Computer Virus Conference c/o Loren K Keim P.O. Box 2423 Lehigh Valley, Pa. 18001 I will send back to you brochures on some local hotels, including The Allentown Hilton, Hotel Bethlehem, the Sheridan Jetport, the Econo Lodge, the Holiday Inn's and the Red Roof Inn. We will also be sending more specific information about the conference and where rooms are closer to the conference date. How Do I Get There? ------------------ The Lehigh Valley (Allentown) is an hour from Philadelphia. We will be sending maps of the Lehigh Valley and of Pennsylvania to those who ask. From Philadelphia: The Pennsylvania Turnpike, Route 9 passes through West Allentown, take the 22/78 exit East to Bethlehem, Rt 378 South to South Bethlehem. Lehigh University owns the mountain. OR take Rt 309 North to Rt 378 North to Lehigh. From New York: Take I78 West to 22 West to Bethlehem. 378 South to Lehigh. Others traveling by plane: the ABE international airport (the largest of our airports) is serviced by several major airlines including United, Eastern, Continental, among others. Connections to ABE are made out of Chicago, Atlanta, and many others. WARNING: ------- IF WE FIND ANYONE WHO HAS PURPOSELY OR ACCIDENTLY RELEASED A VIRUS ON ANY OF OUR SYSTEMS, ACTION WILL BE TAKEN AGAINST THAT GROUP OR INDIVIDUAL. Any questions, please send them to LKK0@LEHIGH. ========================================================================= Date: Mon, 15 Aug 88 14:43:03 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: conference One question, Loren, about the conference: Is the $50 going to be worth the price for the people who get the Virus List (and don't want to hear a re-hash of everything said here a thousand times over) or is it going to have fresh, new input and ideas? Also, Who are the speakers going to be??? It seems that reading through old virus lists might contain more information than having ANYONE talk about the subjects... Here's an idea: Have bound copies of the old virus list logs available (to buy?!?) so that people can gain some more knowledge through them.. Once again, these are my ideas and are not usually accepted by others.. If you wish to complain, fine; everyone else does. -David DAB3@LEHIGH ========================================================================= Date: Mon, 15 Aug 88 14:49:45 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve <XRAYSROK@SBCCVM> Subject: Encryption I think J. W. Crooks idea of executable file encryption is a nice idea if the encryption/de-encryption process could be protected. I was thinking along the same lines myself but I didn't bring it up (and I may be wrong!) because I didn't think it was a practical or defensible scheme. If you use the same encryption algorithm with a built-in key for every encryption/de-encryption, then a virus has only to locate that segment of the program which does that and use it. If you use the same algorithm everytime, but always query the user for the key, then even if the virus knows the algorithm, it can't make use of it because it lacks the key. However, just because you don't store the key on disk somewhere doesn't make it safe, even if the algorithm is a good one. The de-encryption program file must be vulnerable because it must be available at startup (or you can't run any programs at all!) and therefore must be sitting there unencrypted on your disk. A virus could infect the de-encryption program (e.g. the loader program) (say when you run some trojan horse program) and then just wait until you run your next program which will require the loader to query for the key (unless the loader only queries for the key once (at boot), and then the key is just sitting there in memory, waiting to be snatched). Whatever the senario, whether the virus steals the key from the deencryption program as it runs or directly from the user or from memory or whatever, the key clearly has to be around to be stolen whenever you run a program. With the key in its possession, the virus knows how to read any of your other programs, including the encryption program (if it isn't already sitting there unencrypted on your disk). Now all it has to do to infect your programs is to de-encrypt them, alter their code and then re-encrypt. It certainly makes life harder for the virus, but I'm not sure if it offers a significantly increased level of security compared to the price you have to pay (the complication of encryption, and then there's the added hazard of what to do if you forget the key...), unless you can make it harder for the virus to get at the encryption/de-encryption process. On the other hand, just because a scheme can be foiled doesn't mean that it is of no value. I think an invincible protection scheme will never exist, but we may find a scheme which will never let any viruses through. Steven C. Woronick ========================================================================= Date: Mon, 15 Aug 88 15:24:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: Encryption In-Reply-To: Message of Mon, 15 Aug 88 14:49:45 EDT from <XRAYSROK@SBCCVM> > I think J. W. Crooks idea of executable file encryption is a nice >idea if the encryption/de-encryption process could be protected. >Steven C. Woronick In Fred Cohen's dissertation, he talks about using RSA public key encryption combined with checksum (or CRC) signatures to protect files from alteration. Specifically, use the RSA encryption to encrypt a file, then discard the private key thereby making the encryption process one way, perform a checksum of the resulting encrypted file, and store that checksum on disk. It is then easy to validate the signature, but next to impossible to reverse engineer the checksum, particularly if you use long encryption keys. The problem with this method is that there is relatively considerable overhead involved in the authentication process. If, however, you only perform the authentication process periodically, it could be a viable file protection scheme; at least it should be able to detect unauthorized file modifications with a high degree of certainty. The RSA public key encryption, by the way, uses two encryption keys - one for encryption and one for decryption. Figuring out one from the other would be extremely difficult. Regards, Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant By the time we got to Woodstock, Lehigh University Computing Center We were half a million strong, Internet: <luken@Spot.CC.Lehigh.EDU> And everywhere was a song, BITNET: <LUKEN@LEHIIBM1> And a celebration. - Joni M. ========================================================================= Date: Mon, 15 Aug 88 12:42:00 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Gerald L. Schmalzried" <GERALD@KSUVM> Subject: Re: VM Mainframe Problems Loren K Keim states: > I think you missed the point. You are under the assumption > that someone has to execute a bacterium for it to propogate. > In VM systems, at least in Rexx programs, a virus can be > hidden. This could be one of your own programs, and I've > written several Rexx programs, with a hidden line somewhere, > or even an appended line that when you run it, it will > propogate. Right. Which means that someone has to execute the bacterium for it to propogate. Even REXX programs don't jump up and start executing all by themselves. PROFILEs (similar to PCs' AUTOEXEC.BATs) could be thought of that way, but those are actually called by someone (CMS or XEDIT) and can be overridden. The CHRISTMA EXEC would never have gotten out of node 1 without someone executing it. Just having it won't spread it. Perhaps you could restate your point in case I missed it... --Gerald ========================================================================= Date: Mon, 15 Aug 88 13:37:42 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: AT configuration I wonder what would be the effect of telling my AT, through some configuration changes that I have no hard disk. I can run a program that permits me to tell the battery operated RAM package that I have one of 45 or so different hard disks, or by putting a zero in some location tell it that I have no hard disk. Can a virus guess what sort of disk I have? What would happen if the virus guesses wrong? Interested in some feedback here. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Mon, 15 Aug 88 16:03:06 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: AT configuration In-Reply-To: Message of Mon, 15 Aug 88 13:37:42 CDT from <len@EVAX.MILW.WISC.EDU> >I can run a program that permits me to tell the battery operated RAM >package that I have one of 45 or so different hard disks, or by >putting a zero in some location tell it that I have no hard disk. Can >a virus guess what sort of disk I have? Certainly within one of 45 or so tries... :-) >What would happen if the >virus guesses wrong? If the virus (or any program) only tries to read the disk while it's set to be the wrong type, no harm should happen (well, the seek motor might not like life too much if you try to go to, for example, cylinder 800 when you only have 619). If the virus writes while set up wrong, it's highly likely that you'd be spending some time in the not too distant future reloading your hard drive. What would be the advantage(s) of doing that, though? To test to see if a program contains a virus before trusting it on your hard drive? Ok, that could be of limited utility. Bear in mind, however, that it would be painless for a virus to (purposely) not do any damage, or even try to propogate, if there is no hard drive present. Also, chances are pretty good that a virus wouldn't try to assume that you have a hard disk if DOS says that there is none present - it would be shooting into the dark so to speak. Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant By the time we got to Woodstock, Lehigh University Computing Center We were half a million strong, Internet: <luken@Spot.CC.Lehigh.EDU> And everywhere was a song, BITNET: <LUKEN@LEHIIBM1> And a celebration. - Joni M. ========================================================================= Date: Mon, 15 Aug 88 18:45:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: AT CONFIGURATION Try running FluShot+ 1.2 on your AT computer and then you will know what it is like to have your CMOS setup corrupted so that DOS (or a virus) can't find any fixed drive! I think it would be difficult for a virus writer to experiment setting different fixed drive types in your CMOS hoping to get some fixed drive available. Would the virus writer not be safer by checking for the fixed drive first? (on an AT: in the CMOS); then if one exists, attack it. Otherwise, his/her virus might end of with "drive not found" type errors. /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Mon, 15 Aug 88 22:04:07 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Amanda, the letter you sent to Virus-L did not get to me, I just got the header. If it was important, could you resend it? David Bader: We have discussed (dare I say it?) very little on this list. The basic purpose of the conference is for people to get together and discuss viruses among themselves, show each other what they've come up with in terms of viral protection and what problems they've had. These sorts of conferences are generally very successful in that they produce some very useful ideas. David, we have touched very little on Worm Process propogation, or limited functionality (Fred Cohen's idea), limited transitivity (which has been around for a while), bottom-up system usage, and various theories of security or anti-viral protection. We have simply discussed CRC systems, DER encryption schemes, and various viruses. I believe a conference can produce a lot more than short letters back and forth. I got quite a few replies to my VM system comments. Again, I am sorry, but I am not quite used to VM yet and am not that good with it. I also do not have a system account and have very limited access, so its hard for me to proceed, unlike other machines I've worked on. Over the next few weeks, hopefully, I will have something more substantial worked out and will describe possible infiltration methods. One of the comments I received was something like: "If you have to execute the Rexx program to propogate the virus, it is a bacterium." No, I was not talking about a program which is a virus, I am talking about inserting a few lines of viral code into someone else's Rexx program. Sure ALL viruses have to be run to propogate, the difference between a bacterium and a virus (as it was explained to me recently) is that a bacterium IS a program and a virus places itself into a REAL program of the users. Thank you for all your VM suggestions by the way, and incidently, if, for some reason, I sounded like I disliked DER encryption, that is certainly not true, it is very good. I also am a big fan of forcing the user to put in a key. Loren Keim ========================================================================= Date: Mon, 15 Aug 88 22:08:39 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference AGAIN Alright David, Since you have asked, I may as well reply here. He wanted to know what the 50 bucks was for. Because we will (as it looks now) have a large group of experts and amateurs showing up, we will need to rent room space. This costs money. Several people have also suggested coffee and donuts or cookies at the conference and its a good idea. About half the people who wrote in wanted some sort of magazine/book written for the occation to include some speaches and some papers. We'd also like to make certain papers available to the people. One of the bigger expenses is flying in good speakers, people who have dealt with viruses and security problems for some time. Rather than have just anyone talk about subjects (which I'm sure everyone can read books and tell us what they read), we'd really like to have the people who've worked on viruses and propogation theories. However, I am still in the process of trying to contact people from "Computers and Security" magazine and others. I hope people are interested in this conference, we've gotten a ton of mail on it. I believe it will be fun, educational, and hopefully will bring something out of it. Thank you, Loren Keim ========================================================================= Date: Mon, 15 Aug 88 21:52:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: KAPLANB@IUBACS Subject: virus conference - air Conference Attendees - I've gotten airline fares for major cities to Allentown, PA. Cities: Chicago (O'Hare), San Francisco, Los Angles (LAX), New York City (JFK), Miami, Minneapolis. Please send me a e-mail note if you would like a copy. I will not put it on the Virus-List - waste of space/time for those who have no intention of going to the conference. I made the departure date Friday, October 21 and return date Sunday, October 23. If you are not on Bitnet - please! make the return address easy for me to answer you back! ========================================================================= Date: Mon, 15 Aug 88 23:38:40 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: NEWMAN@CITHEX Subject: RE: Hiding large camouflaged viruses SIGNOFF VIRUS-L ========================================================================= Date: Tue, 16 Aug 88 09:27:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: VM Mainframe Problems In-Reply-To: Message of 14 Aug 88 15:01 EDT from "Loren K Keim -- Lehigh University" >I think you missed the point. You are under the assumption >that someone has to execute a bacterium for it to propogate. One of the problems that a designer of a virus must solve is how to get his program executed. One of the easiest solutions to this problem is to get the the victim to invoke it. There are a number of ways to do that. One of them is to simply invite him to do so. Another is to give the program an attractive name. This is called "bait." A second problem is to get the copy propagated to a new execution environment. This is trivial in VM since, by default, all virtual machines are connected in a virtual network. Note that if I can dupe "A" into executing the virus, and if that causes a copy of the virus to be sent to "B," the virus will appear to "B" to have originated with "A." If, as is likely, "B" knows and trusts "A," then that trust will be conferred on the virus. This makes it easier to dupe "B" into executing it. The defenses suggested by Hank are useful. However, in order to be completely effective, they must be observed by most of the users within the community. The virus only has to dupe some of the users in order to prosper; it need not dupe all. Note that the virus usually appears to have come from a known and trusted source. Fred Cohen has demonstrated that in a population of hundreds of users, the virus can propagate to every user within a matter of hours. Incidentally, you should read his papers. It would save a lot of needless speculation about things that he has already demonstrated. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Tue, 16 Aug 88 10:02:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: VM Mainframe Problems In-Reply-To: Message of 14 Aug 88 15:01 EDT from "Loren K Keim -- Lehigh University" One other point that should be made in the context of network viruses, is that the perpetrator can potentially benefit himself. Viruses in the PC world are merely destructive. They can be employed in the furtherance of vengeance, but they are less useful in satisfying greed. Not so in the network; in addition to replicating itself, the virus can send information back to its originator. (Of course this requires that it contain information about its origins; this increases risk for its perpetrator.) William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Tue, 16 Aug 88 09:54:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: REXX Those of you who are on BITNET probably use REXX even if you are not aware of it. Some of the rest of you may not know what it is. REXX is a command language and interpreter. It is sufficiently rich that almost any thing can be written in it. Its power is extended by its ability to invoke and use commands, other REXX procedures, pipes, filters, programmable editors and formatters, and even other application programs. REXX language interpreters exist for CMS, TSO, and PC DOS . IBM has committed to produce such interpreters for most of their operating systems. Thus, we have the potential for a virus with a wide range of potential targets. In this context, it should be noted that REXX scripts are interpreted rather than executed. However, it can invoke things which are executed. It can, for example, invoke "copy." It can name parts of itself, and thus address them. If it knows its own name, a condition easily met, then it can address itself. On the other hand, if it does not know its own name, a condition equally easily met, then it will have difficulty addressing itself. It should also be noted that, since much of the power comes from the ability to employ things in its environment, it is not totally environment independent. Since commands and naming conventions vary from environment to environment, it is difficult to write a REXX script that will run across environments. Nonetheless, the power of REXX greatly reduces the work factor that a virus designer confronts. (I once wrote a very powerful Trojan Horse that required only two lines of REXX. I wrote it in one half hour even though it was the first REXX procedure that I had ever written. All the knowledge and information that I needed was available on line in the form of HELP and models.) William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Tue, 16 Aug 88 09:11:54 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Claudia Lynch <AS04@UNTVM1> Subject: Re: VM Mainframe Infiltration In-Reply-To: Message of Sun, 14 Aug 88 14:51:21 EDT from <LKK0@LEHIGH> What is the name of the program on VM to answer mail? We might be interested in it here at the University of North Texas. Claudia Lynch ========================================================================= Date: Tue, 16 Aug 88 10:45:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth R. van Wyk" <LUKEN@LEHIIBM1> Subject: Re: VM Mainframe Infiltration In-Reply-To: Message of Tue, 16 Aug 88 09:11:54 CST from <AS04@UNTVM1> >What is the name of the program on VM to answer mail? We might >be interested in it here at the University of North Texas. >Claudia Lynch I use MAIL and MAILBOOK, but that really isn't in the context of this discussion group. Ken P.S. Anybody responding to this, please do so directly to the sender, not to this list. Thank you. Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant There's supposed to be a million and Lehigh University Computing Center a half people here by tonight! Internet: <luken@Spot.CC.Lehigh.EDU> The New York State Throughway is BITNET: <LUKEN@LEHIIBM1> closed man! - Arlo Guthrie ========================================================================= Date: Tue, 16 Aug 88 11:07:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Virus Talks Loren Keim states: > We have discussed (dare I say it?) very little >on this list. The basic purpose of the conference is for >people to get together and discuss viruses among themselves, >show each other what they've come up with in terms of >viral protection and what problems they've had. These sorts >of conferences are generally very successful in that they >produce some very useful ideas. >David, we have touched very little on Worm Process propogation, >or limited functionality (Fred Cohen's idea), limited transitivity >(which has been around for a while), bottom-up system usage, >and various theories of security or anti-viral protection. >We have simply discussed CRC systems, DER encryption schemes, >and various viruses. I believe a conference can produce a lot >more than short letters back and forth. Loren, Then why don't we discuss these topics on the list, instead of re-hashing all these "trivial" problems. Why do some people need to travel hundreds of miles to discuss the problems that this list can solve? David Bader DAB3@LEHIGH ========================================================================= Date: Tue, 16 Aug 88 11:19:24 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus-L Topics If anyone really wants to hear about limited transitivity theory, I will put some up, but the problem is that this list (correct me if I'm wrong Ken) is for discussion, not for me to lecture to people or anyone else to. Generally, if you want to learn about various subjects, get articles on them, there are many published. Problems sometimes result from the fact that their are some people on this list (William Murray, Joseph Beckman and others) who truely do know something about viruses and security problems, and there are others who really don't. I think its often hard to discuss things. One of the things I like the most about having a virus conference is that we will be given the chance to exchange ideas and if anyone wants to learn something, its much easier to discuss ideas and theories isn person rather than over a list. If anyone feels that I am totally incorrect in that feeling, feel free to tell me. Loren ========================================================================= Date: Tue, 16 Aug 88 11:29:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Virus-L Topics In-Reply-To: Your message of Tue, 16 Aug 88 11:19:24 EDT > If anyone really wants to hear about limited transitivity > theory, I will put some up, but the problem is that this > list (correct me if I'm wrong Ken) is for discussion, not > for me to lecture to people or anyone else to. There's nothing wrong with presenting an overview of such topics, and of course, subsequently leaving them open for other discussions. Also, it's quite acceptable to give an overview and refer the readers to specific books/articles, etc. > Generally, > if you want to learn about various subjects, get articles > on them, there are many published. I agree; I think that everyone who is truly interested in the subject should at least read Dr. Cohen's dissertation. Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant There's supposed to be a million and Lehigh University Computing Center a half people here by tonight! Internet: <luken@Spot.CC.Lehigh.EDU> The New York State Throughway is BITNET: <LUKEN@LEHIIBM1> closed man! - Arlo Guthrie ========================================================================= Date: Tue, 16 Aug 88 10:39:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: VM mainframe viruses In-Reply-To: Message of 14 Aug 88 04:42 EDT from "Hank Nussbacher" >I think you should be more selective about your use of the word >mainframe. Each operating system has its own "way" of working and >one method of introducing a virus into a "mainframe" environment - >will not be successful in another opertaing system. The issues here are generality and transitivity. Systems in which a user can both write and execute an arbitrary program, are more vulneralble than those in which the user is limited to the use of programs of managements choice. (Almost all readers of this forum will recognize the former; they may not recognize the latter, but this class includes application machines, servers, ATMs and arcade games.) Transitivity can be defined as the potential for data to become procedure (or, if you like, program.) One man's data is another man's program. However, almost all systems today support the ability to interpret command language scripts (e.g., CMS EXECs, TSO CLists, Unix shell files, PC DOS batch files, etc.) Thus, we go back to generality, i.e., is the capability made available. In the current issue of "Computers and Security," Fred Cohen argues that, in the face of viruses, we must be prepared to restrict sharing, transitivity and generality. I concur. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Tue, 16 Aug 88 15:18:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Tomcats on Deck <ACCDJS@HOFSTRA> I recently signed onto this list and have been perusing some of the archived files only to discover that little of it deals with mainframes. Although I find much of the material interesting, it's not very helpful to me in pursuing my current project: detecting viruses that might be coming into our VAX/VMS system over BITNET. If anyone has any ideas on how I might better secure our facility here. -------------------------------------------------------------------------------- Don Sottile Hofstra University Technical Services Hempstead, NY, USA <ACCBIT@HOFSTRA> aka <ACCDJS@HOFSTRA> -------------------------------------------------------------------------------- ========================================================================= Date: Tue, 16 Aug 88 16:09:17 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David M. Chess" <CHESS@YKTVMV> Subject: Virus-L Topics Surely one of the nicest things about a list like this is precisely that there *are* both knowledgeable people and not-yet-knowledgeable people, and the former can give information and advice to the latter? If you know things about (for instance) the limiting of transitivity that you think many of the rest of us don't know, you shouldn't hesitate to tell us. Doesn't need to be a lecture, of course. Could just be "Here's a two-paragraph summary, a practical example, and an article to read for more detail". I think that'd benefit many/all of us... DC ========================================================================= Date: Tue, 16 Aug 88 18:04:25 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: RE: re:Trapping Disk calls I stand corrected on Autoexec - Command.com does get executed first; however, see my next memo on protecting command.com. > Can you not adjust your CONFIG.SYS to hide almost anything within r RAM? >your ram? >Stevo Well, yes. You can install drivers via config.sys. Usually they are RAM drives, etc. They can be anything if you want to take advantage of thee fact that they get called during the initialization process. I don't see have much expectation of a virus being able to modify config.sys and give you a plague-ridden ake fake driver, but its possible. I would expect to notice such a radicalical thing myself. Art Larky - CSEE - Lehigh ========================================================================= Date: Tue, 16 Aug 88 21:20:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Protecting Command.com Here are some suggestions for protecting yourself from a command.com virus: Floppy disk based systems: (1) Make a copy of your original system disk and put a write protect tab on it. Boot from that disk only and don't have a system on any other disk that you use in your system. (Make several copies of this disk, of course.) Hard disk systems: These are more vulnerable because you have to have command.com le available on the disk and the disk cannot be write protected because its the one you are using actively, so: (1) Rename command.com to some other name which is meaningful only to you. Don't tell anyone else what that name is. (Keep the .com extension.) (2) Modify IO.SYS (or IBMIO.SYS) by replacing the string COMMAND.COM with the new name which you have chosen. Use a seven character name because I'm not sure what would happen if you tried to shorten the length of the string. (3) Add to CONFIG.SYS the line shell=d:\command.com (4) Add to CONFIG.SYS the 'device=' line to create a ram disk large enough to hold command.com. (3) above assumes that that will ome become drive D. (5) Add to your autoexec.bat the line copy ugh.com d:command.com (replace ugh.com by the name you have chosen for your secret copy of command.com.) Now, if someone infects command.com, it will be the copy in ram disk nd and not your permanent copy and the infected copy will go away when you oot re-boot the system, even if you just do a warm boot. Of course, a clever virus could read your config.sys and your autoexec.bat and . . . . . ; BUT, you have the upper hand (I hope) because you have been able to boot with a clean copy of command.com and a clean (I hope) copy of autoexec. Your autoexec can do CRC's and such to protect itself and your your hidden copy of command.com. For those who doubt that this will work: I have tried it and, if YS the file name in IO.SYS is changed (with Norton Utilities or Debug), it will use the re-named copy of command.com with no complaints. ts. I would welcome any comments about hidden pitfalls in this approach. By the way, one benefit is that, with command.com in ram, you will oke invoke it faster at job end and when your program does a push to DOS. Art Larky, CSEE Dept, Lehigh University ========================================================================= Date: Tue, 16 Aug 88 21:14:07 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Robert Newberry <RNEWBER@AKRONVM> Subject: Definitions Hello all I was wondering if someone could send me a list of all the known computer diseases and define some of the terminology used when describing the diseases. I am writing a paper on computer viruses and I would like to include a definitions section. Due to the fact I am Kind of a beginner at using computers, I don't know some of the terms used. Thanks in advance. Robert Newberry <RNEWBER@AKRONVM> University of Akron Akron, Ohio 44304 USA P.S. Thanks for the information on computer virus legislation! :-) ========================================================================= Date: Tue, 16 Aug 88 21:57:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Re: command.com After reading Art Larky's message on command.com, I felt that I must also share how I have been protecting my computer against the dreaded Command.com strain of viruses. Like A.L.'s protection scheme, my method does almost the same effect by renaming and copying files. Here is what happens each time my computer boots: (the autoexec dealing with virus protection ) 1) Config.sys creates a 384K Ram disk 2) CHECKUP 1.4 is used to monitor the fingerprint of Command.com by copying its image from a subdirectory into the root and comparing Command.com with the image. 3) Copy Command.com to the RAM disk and set it write protected on both the Hard drive and the ram disk 4) Set COMSPEC = E:(ramdisk)\COMMAND.COM 5) And finally, I have Flushot plus 1.4 (kind of) working to consistently check my CRCs of important files (Command.com, io.sys, msdos.sys,etc.) I figure that if I am infected by a virus, my hard disk's Command.com will be infected, and on my next bootup, I will know about it and automatically replace the corrupted file. Since my COMSPEC is pointing to my RAM disk's Command.com, I will have no problems in that "infection" session of spreading the virus. If my Command.com that is on my RAM disk is infected, SO WHAT??? It will be replaced on my next bootup and won't be able to spread. I guess anyone writing a virus has it one step easier now knowing various user's configurations and trying to find the holes in our thinking. But I feel that the more protection schemes used and spread across the world- wide computing systems, the less the chance of any virus propagating. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 17 Aug 88 12:19:32 SST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: Date: 8-17-88 12:16pm Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet Comments: cc: Jim Comments: Subj: Dr. Cohen's Dissertation From: Jim Crooks <ANYONE@ISS.NUS.AC.SG> Subject: Dr. Cohen's Dissertation Is Dr. Cohen's Dissertation available anywhere (for $$$)? Anyone know how to go about getting a copy? Thanks, James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 ========================================================================= Date: Wed, 17 Aug 88 12:19:23 SST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: Date: 8-17-88 12:15pm Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet Comments: cc: Jim Comments: Subj: re: VIRUS-L TOPICS From: Jim Crooks <ANYONE@ISS.NUS.AC.SG> Subject: re: VIRUS-L TOPICS In Reply To: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Tue 16 Aug 88 > Generally, > if you want to learn about various subjects, get articles > on them, there are many published. Agreed - I think that we could further the aims of this list if there was a compiled bibliography of "Computer Virology". In fact I'd be willing to compile one for submission to Ken van Wyk to be put up as a listserv file, if all you VIRUS-L'ers will send references to me... please to my personal id: jim@iss.nus.ac.sg the id on the envelope is a distribution system| > Problems sometimes result from the fact that their are some > people on this list (William Murray, Joseph Beckman and others) > who truely do know something about viruses and security > problems, and there are others who really don't. I > think its often hard to discuss things. Discuss already - the novices will just have to read the message logs and literature references to get up to speed. Discuss the *REAL* issues and problems at hand on the list. That is one of the known problems of discussion lists; some noise in the signal. > One of the things I like the most about having a virus conference > is that we will be given the chance to exchange ideas and if anyone > wants to learn something, its much easier to discuss ideas and > theories in person rather than over a list. I agree that face-to-face discussion is "easier" than phone or message, but some of us who won't be able to get to the conference have to make do with what is available. James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 ========================================================================= Date: Tue, 16 Aug 88 23:19:05 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: NEWMAN@CITHEX Subject: Signoff SIGNOFF VIRUS-L ========================================================================= Date: Wed, 17 Aug 88 03:29:44 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: COMMAND.COM and viruses Two people have recently mentioned how they protect COMMAND.COM from infection by virus. While their system may (and may not) protect them against today's viruses, they are not a significant barrier to even fairly "stupid" viruses. First of all, running your CLI out of a ramdisk is not going to fool most viruses. Unfortunately, MS-DOS makes it easy for viruses to spot what is most likely to be your real CLI- C:\COMMAND.COM It would probably protect you much more to partition your disk so that you have a 1 MB C: partition and the rest of your disk in D:. Boot up with the COMSPEC set to D:COMMAND.COM. This will give better results. Of course, while experts can get their disk to have any name they like, most users will always be running out of the C: device. Too bad. File systems with named devices would eliminate this problem. (Mac HFS, for example) Secondly, this again brings up the topic of disguised viruses. Someone (Art Lakey?) said that a virus would not be likely to use device drivers as a vector since he would notice the difference. In fact, this is one of the more trivial types of disguise a virus might use- just make sure that any references to the CONFIG.SYS file don't show the line, make sure updates don't clobber the line, and hide the driver in the way discussed in my previous article on camouflaged viruses. Actually, that's not so trivial... but compared to some of the horror-story viruses being discussed recently, it's pretty tame. /a ========================================================================= Date: Wed, 17 Aug 88 11:40:37 IST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Yosi <CCAYOSI@TECHNION> Subject: Re: Virus-L Topics In-Reply-To: Message of Tue, 16 Aug 88 11:29:21 EDT from <luken@SPOT.CC.LEHIGH.EDU> Hello there, Reading the mail in the list teaches me a lot. I live far away so no chance that I come to the conference. Starting to keep subjects out of range for this list - save them for the conference - will harm these that will not go there. It will be nice to know that subjects raised in the conference - will be summerized here. To the discussion started by Loren K Keim - It is important to read summerized 'lectures' as well as techniques to prevent viruses : mixing theory with practice. Yosi ||||||||||||||||||||| ------------------------------ | YOSI ALMOG PHONE: WORK - 972-(0)4-292173 | USER SERVICES CONSULTANT * TECHNION - ISRAEL INSTITUTE OF TECHNOLOGY * TAUB COMPUTER CENTER * ARPANET : CCAYOSI@TECHNION.BITNET@CUNYVM.CUNY.EDU * DOMAIN : CCAYOSI@TECHNION.TECHNION.AC.IL * BITNET: CCAYOSI@TECHNION ========================================================================= Date: Wed, 17 Aug 88 07:18:36 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: In-Reply-To: Poster of 16 Aug 88 09:54:00 EDT from WHMurray at DOCKMASTER.ARPA From: Otto Stolz +49 7531 88 2645 <RZOTTO@DKNKURZ1> Subject: Amendmend from a REXXpert (or a would-rather-be-REXXpert :-) > If it does not know its own name, a condition equally easily met, ... No, because every REXX program knows its own name by means of the PARSE SOURCE statement. Btw, every REXX program knows its own source code by means of the sourceline function, which makes virus-writing easier. > ... it is not totally environment independent. > ... it is difficult to write a REXX script that will run across > environments. Yes, and to the extend that the very statements a bacterium or virus would use to propagate (e.g. COPYFILE) are *not* part of the REXX language (at least not of every implementation) but rather of the environment. Regrettably, this constraint is relaxed by two mechanisms: 1. every REXX program knows the environment it's running in (PARSE SOURCE and PARSE VERSION); 2. REXX can be used to program the XEDIT editor (available on CMS and PC -- I don't know about TSO/E) which constitutes a much more versatile and compatible environment. Best wishes Otto ========================================================================= Date: Wed, 17 Aug 88 07:54:20 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: re: VIRUS-L TOPICS In-Reply-To: Your message of Wed, 17 Aug 88 12:19:23 SST > Agreed - I think that we could further the aims of this list if > there was a compiled bibliography of "Computer Virology". In fact > I'd be willing to compile one for submission to Ken van Wyk to be > put up as a listserv file, if all you VIRUS-L'ers will send > references to me... please to my personal id: jim@iss.nus.ac.sg > the id on the envelope is a distribution system| Great idea! I've had a number of requests for good references and where to get them. It would be very worthwhile having a bibliography (of sorts) here on the LISTSERV. Jim, send me what you have, and I'll put it up. Thanks! Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant Lehigh University Computing Center You kids are great! Internet: <luken@Spot.CC.Lehigh.EDU> - Max Yasger, the man who owned the BITNET: <LUKEN@LEHIIBM1> farm on which Woodstock was held. ========================================================================= Date: Wed, 17 Aug 88 09:25:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: the Preserver <VISHNU@UFPINE> Subject: Where in the heck are those Papers? Recently on this list, some people have advocated that in general the members of this list should go out and read some references. Agreed, but where are they? I believe someone came up with the idea of making a VIRUS-L bibliography, an idea I laud, however, I have noticed that certain people even when they do give references (which is almost never) do not give complete or correct references. As to Mr. Cohen's dissertation, I recently called USC and tried to get a copy of it, and I was told that the author had pulled it from circulation, apparently so he could publish a book. I would like to borrow someones copy to read, since I am sure the book will be out RSN. A final request, could someone send me information on how to subscribe to Computers and Security. Thanks Les vishnu@pine.circa.ufl.edu vishnu@ufpine ========================================================================= Date: Wed, 17 Aug 88 09:59:55 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Cohen thesis This may or not be the case with Fred's thesis, but most universities require that theses be published by having them filed on microfilm by University Microfilms in Ann Arbor, Michegan. Some helpful soul might want to contact them to see if it is available there. Art Larky ========================================================================= Date: Wed, 17 Aug 88 09:03:40 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: AT configuration In-Reply-To: Message from "Kenneth R. van Wyk" of Aug 15, 88 at 4:03 pm >>I can run a program that permits me to tell the battery operated RAM >>package that I have one of 45 or so different hard disks, or by >>putting a zero in some location tell it that I have no hard disk. Can >>a virus guess what sort of disk I have? [..] > Also, chances are >pretty good that a virus wouldn't try to assume that you have a hard disk >if DOS says that there is none present - it would be shooting into the >dark so to speak. > >Ken > That was just my point. At least for the next little while, we can expect that virus codes will not look for hard disks on systems that show none. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 17 Aug 88 10:15:11 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: More on command.com Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> writes: >First of all, running your CLI out of a ramdisk is not going > to fool most >viruses. Unfortunately, MS-DOS makes it easy for viruses to >spot what is >most likely to be your real CLI- C:\COMMAND.COM My suggestion was to get rid of C:\COMMAND.COM entirely by re-naming the file to something personal (LEHIGH7.COM, for example) and changing the name in IO.SYS. Then the only place where the file exists as COMMAND.COM is on ram disk. The virus will have no problem finding it there since that is what comspec will point to; however, that's an expendible version. Of course, the virus could look in IO.SYS for the real name, but it has to do that after boot-up and after the clean command.com and autoexec have had a chance to run and look for trouble. Hopefully, the virus will be content to feast on easier pickings! Art Larky ========================================================================= Date: Wed, 17 Aug 88 10:26:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: More on command.com In-Reply-To: Your message of Wed, 17 Aug 88 10:15:11 EDT > My suggestion was to get rid of C:\COMMAND.COM entirely by > re-naming the file to something personal (LEHIGH7.COM, for > example) and changing the name in IO.SYS. I believe that it's even easier than that; you can put a SHELL=C:\LEHIGH7.COM statement in your CONFIG.SYS file. Of course, a virus *could* parse the CONFIG.SYS for a SHELL statement... Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant Lehigh University Computing Center You kids are great! Internet: <luken@Spot.CC.Lehigh.EDU> - Max Yasger, the man who owned the BITNET: <LUKEN@LEHIIBM1> farm on which Woodstock was held. ========================================================================= Date: Wed, 17 Aug 88 12:28:58 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Re:re:command.com >> My suggestion was to get rid of C:\COMMAND.COM entirely by >> re-naming the file to something personal (LEHIGH7.COM, for >> example) and changing the name in IO.SYS. >I believe that it's even easier than that; you can put a >SHELL=C:\LEHIGH7.COM statement in your CONFIG.SYS file. Of course, a >virus *could* parse the CONFIG.SYS for a SHELL statement... >Ken True, I guess I feel better having the file name buried in autoexec, particularly since I could have autoexec execute some program with an innocuous name that, in fact, was copying my 'LEHIGH7.COM' to ram under the command.com name. Now the virus has to examine everything that autoexec executes looking for my copy program. I could encode the file names in that program so they would not be recognizable and could not be parsed by the virus. As I said before, go pick on a smaller guy, Mr Virus. Art Larky ========================================================================= Date: Wed, 17 Aug 88 14:03:47 LCL Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Scott C Crumpton <NESCC@NERVM> Subject: "Computers and Security" Would someone please post an address and subscription info for "Computers and Security". Thanks. ---Scott. * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * | Scott C. Crumpton | Bitnet: nescc@nervm | | MVS Systems Programmer | Internet: nescc%nervm.bitnet | | NE Regional Data Center | Voice: 904-392-4601 | | 233 Space Sci. Research Bldg. * - * - * - * - * - * - * - * - * - * | University of Florida | If you want an offical opinion, | | Gainesville, FL 32611 USA | ask my cat. That's his job. | * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * - * ========================================================================= Date: Wed, 17 Aug 88 14:29:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: the Preserver <VISHNU@UFPINE> Subject: How to subscribe to _Computers and Security_ Many thanks to Ken for providing me with a lead. To get a complimentary copy of _Computers and Security_ send a letter requesting such to Computers and Security c/o Dr. Highland 562 Croydon Road Elmont, NY 11003 Please include your name, organization (if any), and mailing address. The complimentary copy will arrive in about 4-6 weeks, and (I guess?) subscription information will be inside it. Les vishnu@pine.circa.ufl.edu vishnu@ufpine ========================================================================= Date: Wed, 17 Aug 88 13:47:16 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re:re:command.com In-Reply-To: Message from "Art Larky" of Aug 17, 88 at 12:28 (noon) > >>> My suggestion was to get rid of C:\COMMAND.COM entirely by >>> re-naming the file to something personal (LEHIGH7.COM, for >>> example) and changing the name in IO.SYS. > > >True, I guess I feel better having the file name buried in autoexec, >particularly since I could have autoexec execute some program with >an innocuous name that, in fact, was copying my 'LEHIGH7.COM' to ram >under the command.com name. Now the virus has to examine everything >that autoexec executes looking for my copy program. I could encode >the file names in that program so they would not be recognizable >and could not be parsed by the virus. As I said before, go pick on >a smaller guy, Mr Virus. > Art Larky > I truly do not understand how you can use autoexec.bat for protection. That program gets run very late in the boot process. As I understand it, the boot examines config.sys to see what is to be established as a part of the io and msdos resident portions of the code, and only then brings up command.com (or its alias) and finally after command.com is loaded, it is executed with autoexec running as the first job. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Wed, 17 Aug 88 15:38:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re:re:command.com For *most* Command.com viruses, isn't it better to get rid of the virus as soon as possible (using autoexec.bat techniques such as Art Larky and I have suggested) than not protecting in such a manner at all? The less time the virus is around, the better a computer's chances for survival, I think. Mr. Levine: What method do you use in protecting from this strain of virus? /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 17 Aug 88 17:24:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Art Larky <AIL0@LEHIGH>" <AIL0@LEHIGH> Subject: Command.com again Len Levine <len@EVAX.MILW.WISC.EDU> says: >I truly do not understand how you can use autoexec.bat for protection. >That program gets run very late in the boot process. As I understand >it, the boot examines config.sys to see what is to be established as a >part of the io and msdos resident portions of the code, and only then >brings up command.com (or its alias) and finally after command.com is >loaded, it is executed with autoexec running as the first job. I'm assuming that you have been able to defend yourself enough so that you are starting out with a clean copy of the re-named command.com and have not yet been infected. Then everything is under your control through the boot process and you are working with a benign, healthy, un-adulterated command.com. If you have checked and medically certified your autoexec.bat, then you are starting up your system cleanly. Autoexec can contain the code to make the temporary copy of command.com in ram disk (from hidden sources and using encripted file names) and can run your CRC checkers and set up Flushot or whatever to watch over what you do after that. If, despite your precautions, command.com gets infected, its the only the ram copy and that goes away when you reboot. If you want to be safe truly, don't let anyone near your machine and don't ever run anyone else's software or anyone else's disks. What I hope I am suggesting is a method of making infecting my command.com hard enough that the virus will not get a good toe-hold on my system. Keep the comments coming - as long as I can argue them down, we have a viable possibility for protection. Art Larky Professor, CSEE, Lehigh University ========================================================================= Date: Wed, 17 Aug 88 19:20:14 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: System Generality Since it was brought up, Computer Generality basically means that a computer is designed for one function, unlike an IBM PC which can be used for many many functions. Fred Cohen has stated in the past that we should limit a machine's usefulness in order to prevent viral spread. I'm not sure that is the answer. Agreed that if a computer cannot produce multiple functions, its very difficult, if not impossible, to propogate a virus through that particular system. Unfortunately, the machines that are most at risk from damage from computer viruses are government computers, banking computers and so on. If we make these machines specific to a purpose (ie: have a database program in ROM and allow no other program to run), then we limit our ability to climb the technological ladder. As we design faster and better systems, we have to replace everything we have. If we do not have these machines as specific purpose machines, then they are still in almost as great a risk group as before. Lorne ========================================================================= Date: Wed, 17 Aug 88 19:24:44 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Speaches For the many, many people who sent me letters asking if they could get "minutes" from this conference: I will try to compile copies of all the speaches made at this conference and have someone take notes on panel discussions. We will then make this available to those who cannot make the meeting. The book which we will be distributing at the conference will also be available. We will probably charge for the book, to handle printing costs and shipping costs, but I think it will be well worth it. Incidently, we've had a lot of talk about protecting command. com on MS-DOS micros. And we've had quite a few good comments. One thing I should point out though is that command.com viruses are a small portion of the types of viruses out there that hide themselves in the boot sector, Bios, Io, executables, command files, in memory, and even between sectors (theoretical, I haven't seen one myself). Protecting command.com helps to protect your system, but the system must be protected as a whole, which is more difficult. Loren ========================================================================= Date: Wed, 17 Aug 88 22:05:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: viruses Loren Keim states: >Agreed that if a computer cannot produce multiple functions, >its very difficult, if not impossible, to propogate a virus >through that particular system. Doesn't the very definition of a "computer" mean that it can perform various functions? Otherwise what would the use of one be besides a paperweight? Loren continues: >> Unfortunately, the machines that are most at risk from damage from computer viruses are government computers, banking computers and so on. If we make these machines specific to a purpose (ie: have a database program in ROM and allow no other program to run), then we limit our ability to climb the technological ladder. As we design faster and better systems, we have to replace everything we have. If we do not have these machines as specific purpose machines, then they are still in almost as great a risk group as before. Lorne >>endquote What reasons do you have that banks and government systems are more infested with viruses??? Although it must be a hard statistic to find, since most humans don't know what a computer virus is even if it were to kill their main-frame or PC, I would think that the major virus attack is on such computers as PC labs, university systems, (and other "public sites" that can't monitor most users of the system.) On a banking system, for all our monies sake, I would hope that 1) only authorized administrators use the computer, and 2) none of them want to kill their bank's files. (The ssame reasoning goes with the government.) David A. Bader DAB3@LEHIGH ========================================================================= Date: Thu, 18 Aug 88 00:15:44 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus Infection Potential David, > Doesn't the very definition of a "computer" mean that it can > perform various functions? Otherwise what would the use of > one be besides a paperweight? I have never seen a computer defined as a box that can perform various functions. A computer can do one specific function without being a paperweight. Have you ever seen a calculator? Have you seen a television? In a way, each of these is a computer and each has a specific function. What I said in my letter, paraphrasing Fred Cohen, is that if we make computers perform one specific function (like a computer to open doors for us when we approach, or a computer to cook our food in the microwave) then it does not have a serious problem with viruses. If we limit the functionality of a computer, we limit the approach, or the infectibility of a computer. Unfortunately, it also means that we may need more equipment to do something. I also never stated that government and bank computers were more infected than other computers, nor that they were more at risk of being infected. They DO however, often have the most to lose. I believe I also added a "so on" onto the end of that. What I was saying is that we have to protect our "secure systems" (I'm sure most of you have heard the term before). Viruses have been able to do what other programs cannot, they sidestep security by entering a computer by way of an authorized user who doesn't realize that he or she is carrying the virus. It doesn't matter much if a college LAN loses all its information (unless someone stores important research on that LAN), but it is critical if a large banking institution loses all its records (which happened recently), or if NASA loses the program which runs the spaceshuttle just as its blasting off. > I would hope that 1) only authorized administrators > use the computer, and 2) none of them want to kill their > bank files. This is absolutely irrelevant. Few people PURPOSELY infect their computer systems. How many of us go around injecting bad programs into our own important files? That is rediculous! When someone's disk is infected by a virus, they generally don't know it. They spread the virus to their company's files accidently, they don't realize that they are carrying something deadly to their records. Loren Keim ========================================================================= Date: Thu, 18 Aug 88 03:02:36 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Robert Newberry <RNEWBER@AKRONVM> Subject: Beginnings Hello all I was wondering when the first computer virus was first descovered? Rob... ========================================================================= ROBERT NEWBERRY <RNEWBER@AKRONVM> = = UNIVERSITY OF AKRON = I COUNLDN'T THINK OF ANYTHING = COMPUTER CENTER = WITTY TO SAY! = AKRON OHIO 44304 USA = = ========================================================================= ========================================================================= Date: Thu, 18 Aug 88 09:10:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: reply to virus chat >> Doesn't the very definition of a "computer" mean that it can >> perform various functions? Otherwise what would the use of >> one be besides a paperweight? > >I have never seen a computer defined as a box that can perform >various functions. A computer can do one specific function >without being a paperweight. Have you ever seen a calculator? >Have you seen a television? In a way, each of these is a computer >and each has a specific function. I agree that a calculator is a computer, and it can perform various functions... It CAN also have I/O lines (such as to printers or input tape or something like that.) Also, If in one of your previous messages you said that theoretically viruses can hide in between disk sectors, why can't they hide in the memory of a simple calculator... Maybe 2 + 2 *does* equal 5 on a corrupt calculator!!! Also, isn't a "computer" as we call it (like a PC or a mainframe) just a glorified calculator. The center of a computer's functioning is its ALU, and that is just the same as a calculator, just on a different scale. As for a TV being a limited function computer, so is the human body for that reason! You have input, output, conversions inbetween... I don't think resorting to a TV is a good example though of a single function computer since ANYTHING we name can be a one function computer! >What I said in my letter, paraphrasing Fred Cohen, is that >if we make computers perform one specific function (like >a computer to open doors for us when we approach, or a >computer to cook our food in the microwave) then it does >not have a serious problem with viruses. If we limit >the functionality of a computer, we limit the approach, >or the infectibility of a computer. Unfortunately, it >also means that we may need more equipment to do something. Don't we already have these things?? How about at security doors where you need to punch in a code to open the door? That is a computer there, or most microwave are digital making them computers of sort.. My point is that when we talk viruses, we usually mean "computers" on one-level deeper, but ANY one-function computer can get a virus if the correct input is applied. > They DO however, >often have the most to lose. Why do banking systems and government systems have the most to lose?? EVERYONE has a lot to lose. Any PC has a lot to use, and I would bet that the storage on PC systems totalled in the country (all kinds of media) is far greater than the banking and government systems. Also add in the universities and public areas of computers; they, too, have a *lot* to lose. >Viruses have been able to do what other programs cannot, >they sidestep security by entering a computer by way >of an authorized user who doesn't realize that he or >she is carrying the virus. While this is true and I agree with the statement, also remember that many systems crash because of inexperienced users with the authorization. I think most will agree that the person who has no idea how to use a system can do the most damage! >It doesn't matter much if a college LAN loses all its >information (unless someone stores important research >on that LAN), but it is critical if a large banking >institution loses all its records (which happened >recently), or if NASA loses the program which runs >the spaceshuttle just as its blasting off. Why do you assume that a LAN will have backup, but large banking institutions and NASA don't?? A LAN might have just as much information that changes daily, only less humans are involved when the data is corrupted. In a large banking institution, I would assume that and data corruption umbrellas down into a few hundred thousand customers. >> I would hope that 1) only authorized administrators >> use the computer, and 2) none of them want to kill their >> bank files. > >This is absolutely irrelevant. Few people PURPOSELY infect >their computer systems. How many of us go around injecting >bad programs into our own important files? That is rediculous! >When someone's disk is infected by a virus, they generally >don't know it. They spread the virus to their company's >files accidently, they don't realize that they are carrying >something deadly to their records. This is not absolutely irrelevant. A lot of time bombs (and conceivably virus-type time bombs) have been left in systems by disgruntled workers, or system programmers who want an insurance that a company will pay for the software, or as a means of assuring that the system won't be given to anyone else. If you consult the National Security of Computers (?) department under the Department of Defense, I am sure that they will have a lot of cases to share with you. David A. Bader DAB3@LEHIGH ========================================================================= Date: Thu, 18 Aug 88 13:27:09 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Limited Functionality The first computer virus, Robert, according to Fred Cohen was done at a computer security meeting in 1983. (I think it was October, but I am not 100% certain of that). However, the Navy had been working with virus-like programs for a long time before that. As one member of this list mentioned to me before, there were writings on viruses as far back as the 40's. As for Limited Functionality, since there is still a problem with it, I will define it one last time, and I will define it slowly. A virus cannot infiltrate a good computer system that is completely isolated if it does not already have one built in to the software that it came with. When I mean isolated, I mean we can use NO other software on it other than that which it came with, and have no modem, nothing connected to it. It is isolated. It has been proven over and over again... a virus cannot infect this machine, because there is no way for a virus to enter it. The government back in the 70's came up with a whole slew of ideas about isolating computers, but a computer cannot easily be completely isolated. So they came up with two alternatives: Limit the access to the machine as completely as possible, or Limit the functionality of the computer. What they meant by Limit the Functionality of the computer, later redone by Fred Cohen, was that if a computer had all its programs BUILT IN to the computer, and if it could not run an outside program, and if it had some specific function. Then there really isn't a way for a computer to enter the system. Memory is reserved for data. A special bank is for the program and that is unable to be written to. In later talks, Fred Cohen described computers which were designed for special purposes, like opening doors for people and feeding the fish. If there isn't anything connected to these computers, ie: no I/O ports and no outside access, then there really is no way for a virus to enter. Likewise, its pretty hard for a virus to propogate if it doesn't have a lot of similar connected boxes. > Don't we already have these things?? How about security > doors where you need to punch in a code to open the > door? Yes, we do. And you have just fried your own theories. You stated that viruses could propogate across single function boxes, and then you say that these boxes exist. Isn't there a security system around? Yes, there is. Have you ever seen a virus attack one? I haven't. Also, yes a single-function computer MAY be able to "get" a virus, but its not good for spreading viruses. Many single function boxes which are unlike are VERY hard to write ANY virus for. By this point, we would have made it so difficult to write a virus that one could not easily exist. > Why do banking systems and government systems have the most > to lose?? EVERYONE has a lot to lose. Again, I never said that banking systems and government systems ALONE had the most to lose. I said that it would be very dangerous for these and LIKE systems to be destroyed. If a major bank lost all its records. WE would be in trouble. Our economy may feel the damage. If the government's nuclear device-controlling computer was set off by a virus... WE would all be in trouble. This is much more serious than YOU losing a few games and a research paper for one of your professors, don't you think? > Why do you assume that a LAN will have backup, but large > banking institutions and NASA don't? Nowhere did I say anything about backup. Quit putting words in my mouth. That is wonderful to fuel an argument, but we're trying to have rational discussions, not scream at each other. Backups are, as always, important. One problem we've run across is a virus that will delete all the files on a system, but before doing this, it lies in weight for several months. When you load the last system, it destroys this as well because its after a certain date. People don't quite understand, so they load the second oldest, which they lost also. By this point they get the picture, fix the problem when they load the next time... but its too late... we've lost 2 months worth of work. Backups are NECESSARY though. Loren ========================================================================= Date: Thu, 18 Aug 88 14:47:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Kent Cearley - UMS - 492-5262 <CEARLEY_K%wizard@VAXF.COLORADO.EDU> Subject: Debate >As for Limited Functionality, since there is still a problem >with it, I will define it one last time, and I will define >it slowly. Loren, I sense some unnecessary antagonism here. Without putting words in your mouth, it appeared to me the concept of limited functionality was adequitely understood, I believe its utility as a practical solution to infection was being questioned. Certainly it follows that if a system accepts no input, and originally contains no contaminated code it will not acquire any, it really doesn't require much 'proof'. Limiting functionality would seem to simplify management of the dedicated machine, but, I believe in most instances the utility of such an arrangement would be in its interconnectivity to other specialized processors. This connectivity or network could be viewed as, and is in fact becoming, a 'virtual computer' in its own right, with all the attendent complexities of a general purpose system. Has anyone explored the concept of expert systems regulating security? Perhaps implemented like regression testing in software engineering, i.e. it familiarizes itself with the 'typical' activity of a system... quantitatively e.g. avg disk writes for program 'x', free memory, non-data sector reads/writes, maybe feature analysis techniques, suspending activity in anomalous situations: Threshold for disk writes exceeds typical average: memory map =.... continue Y or N, Attempted write to .COM or .EXE file continue Y or N, programmed in ROM and supplied as a plug in board? Who knows, just free falling to explore different directions and maybe trigger other associations. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* ========================================================================= Date: Fri, 19 Aug 88 06:19:53 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: Limited functionality, definition of 'computer', etc. I'm a little concerned about butting into an argument that seems to be getting personal, but here goes... (I don't know _anybody_ on this list personally, so I'm not taking any sides...) David Bader's most recent lengthy article made many statements. I disagree with every one. Maybe he had a bad day (I know I'm having one), but I'll try to go over a couple that seemed to stand out. First, David asks how to define a computer, and why the definition of Limited Functionality is useful (I'm paraphrasing, so if I read it wrong, sorry...). In general, and without getting into any CS theory, I would say that a useful definition of 'computer' would be the turing machine. Modify that by looking at the PCs, Macs, Vaxen, and 4381s of today for a more bounded but useful definition. This is not what you would call a strict definition, but it's useful because we all understand it. In particular, a calculator or television don't qualify as (general-purpose) computers for obvious reasons. On the other hand, there are limited-functionality machines. Another intuitive definition is useful here: they are machines which, whatever the underlying capabilities of the component hardware, are NOT turing machines. Two good examples- 1) a security device, as described in David's article. It does not have a general-purpose CPU. It is inherently incapable of many things, such as arithmetic. 2) A building-directory computer. It is based (for example) on a 68000 machine, with lots of ROM and almost no RAM. While the hardware is, inherently, a turing machine, this actualization will never be capable of adding two numbers, either. Both of the limited-functionality devices described have the same chance of being infected by a virus: none. It's just not possible. This directly contra- dicts David's statement "ANY one-function computer can get a virus if the correct input is applied." On another topic, while novice users can be dangerous, there is no way a novice, no matter how clumsy or careless, can cause your data to become corrupt a month after his/her use of the machine, after the backups have been contaminated... Novices are also incapable of inflicting serious damage on mainframes or minis (or PCs with protection in the OS). Fianlly, it is always the institutions with the most at stake that have the most to lose (simple truism). What some people fail to see is that banks, defense systems, and the like, are the most likely to draw sophisticated viral attacks. While I'm not hugely fond of Cyberpunk stuff, read Gibson's Neuromancer. I hate to say it, but Gibson is probably very accurate in his portrayal of what computer security is going to be like in the not-too- distant future (although I have my doubts about his "Cyberspace matrix"). If you're a crack programmer worth $250 an hour, are you going to spend a month writing a virus to bring down a campus LAN? Or are you going to write one that redirects funds from bank networks to a numbered bank account? The other thing that people forget is that the real viruses of tomorrow won't be acts of vandalism, mostly. They'll have a purpose. Sorry for rambling, but it's 5:30 AM... I sure hope this makes as much sense tomorrow as it does now :-) /a ========================================================================= Date: Fri, 19 Aug 88 10:39:25 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: The First Virus Quite a few people wrote to me to tell me that I was incorrect in my definition of the first virus. That there have been viruses around for years. I quite agree. What I meant was that Fred Cohen, in his famous article describing viruses back in Computers and Security (No 6, 1987?) he told us that the first virus was conceived "of as an experiment to be presented at a weekly seminar on scomputer security" on November 3, 1983. He goes on to explain how this was the first virus and the very first virus experiment. I disagree with Fred on many point, and this is a maojor one. If anyone has had experience with viruses before this point in time, I would be VERYa happy to hear about them. I've documented a few minor comments in the past, but nothing concreit with the exception of some government work studying poropogating programs. Also, I'm looking for a copy of "Communications of ACM" from way back in March, 1982. Pages 172-180 contain information about the Xerox Worm program which got out of hand a few years back. Loren Keim ========================================================================= Date: Fri, 19 Aug 88 12:59:23 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Limited Functionality Granted, limited functionality can certainly reduce the risk of a machine being infected by a virus. I wouldn't go so far as to say eliminate the risk, though. At least in the case of a machine in which a CPU is getting instructions from ROM. After all, where did the instructions for the ROM come from? Unless you can insure that the ROM itself is free from contamination, then you cannot say that there is no virus in that machine. At some point, the ROM had to be written to. It is true, however, that an existing uninfected ROM device cannot be written to by a virus, assuming that the ROM is, indeed, unwritable. Nonetheless, such a limited functionality machine certainly does have limited application, as the name would imply. An arcade video game is a good example of one. There aren't too many applications in which a limited functionality machine would be too useful, or at least practical. I certainly wouldn't want all of the applications on my PC burned into ROM, never to be altered. It would make life on the computer very difficult. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Fri, 19 Aug 88 17:45:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Protecting Command.com In-Reply-To: Message of 16 Aug 88 21:20 EDT from "Art Larky <AIL0%LEHIGH.BITNET@CUNYVM.CUNY.EDU>" >Of course, a clever virus could read your config.sys and your autoexec.bat >and . . . . . ; BUT, you have the upper hand (I hope) because you have >been able to boot with a clean copy of command.com and a clean (I hope) >copy of autoexec. Your autoexec can do CRC's and such to protect itself and >your your hidden copy of command.com. But of course, a virus that did that would not be very clever would it? A truly clever virus attempts to exploit similarities among its potential targets. The beauty of your scheme is that it makes you just sufficiently different from your peers to remove you from the target population. Viruses exploit similarity; they do not need to attempt to accomdate themselves to differences. If you are the only target, any Trojan Horse attack will do. A virus is redundant. If you are not the specific target, then the success of the virus does not depend upon infecting you. All of those who have not taken steps to remove themselves from the target population, are sufficient. The virus does not need you. Thus, to F. Cohen's list of sharing, generality, and transitivity, we can add "similarity." William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Fri, 19 Aug 88 19:38:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Hiding a virus between disk sectors I have a simple question regarding viruses in between disk sectors. I can play arount with all the timing and sector markings in between disk sectors with my Central Point Options board. I know how to make copy protections with this, and other little tricks. What would the theory be behind putting a virus in between sectors? (Anything is possible, I am just curious on how that would make viruses any different or any other spew about a virus like that. Also, how would virus detection have to change?) David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Sat, 20 Aug 88 14:13:18 +0100 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Stefan Parmark <tmpspa@EUA4.ERICSSON.SE> Subject: Can't get log8805 Ken! I am having trouble getting log8805. Your list server has confirmed that it has been sent, but I haven't received it yet. That was two weeks ago, and two more attempts have given the same result. I guess it is the file size that is the trouble. Splitting it in two halves would probably work. /Stefan Parmark ========================================================================= Date: Sat, 20 Aug 88 14:14:34 +0100 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Stefan Parmark <tmpspa@EUA4.ERICSSON.SE> Subject: Moving to new site After the 26th of August I can no longer be reached at tmpspa@eua4.ericsson.se. That account will probably be removed, so any mail will probably bounce. I will of course unsubscribe to this list before I leave. My new address will probably be something like d84spa@<something>.lth.se, but I will let you know. Oh, by the way, before I leave I will send my report to Ken like I promised. It won't contain anything revolutionary, although it will summarize what has been said about infections here. /Stefan Parmark ========================================================================= Date: Sat, 20 Aug 88 14:12:24 +0100 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Stefan Parmark <tmpspa@EUA4.ERICSSON.SE> Subject: Re: Mainframe viruses Joe and Loren! My mail to you doesn't seem to get through, so I will put this on Virus-l instead, which I know both of you read. Joe, you say that you have tracked down several viruses. As I say in my inquiry, I am not interested in *where* it happened, but *what* happened, what it did, how you found it and restored the machine, etc. I will be quite satisfied with a couple of lines describing the major events. Details are interesting, but not really necessary, if you aren't in your best writing mood. If you don't think this means leaking too much information, then please tell me! Refer to the different companies/universities as company A, university B, and so on, if you don't want their names to be known. I am interested in information about the Innoculator. If you have a brochure describing it, please send me one. If you can't e-mail it, please telefax it to +46 8 7490594. The reason is that the surface mail takes a little while, and I don't have more than one week until my report must be finished. If the Innoculator seems safe, we will consider buying it. If you have references from satisfied customers, please include them too. The department of Ellemtel at which I am working has a high security classification, class 2 I think. Therefore a virus protection is highly desirable. Their VAX was earlier connected to UseNet, but the risk for infections made them "cut" the wire. They will restore the connection whenever they feel safe, which I am supposed to make them. In case you wonder, I am using another department's computer to mail you. Loren, I have mentioned your idea about a conference to some people working with me. They, and I too, are interested in such a conference. I will inquire how interested they are. When I know, I or they will get back to you. /Stefan Parmark P.S. You know about the pubkey mailing list, don't you? They're discussing Lee Kemp's public key encryption to protect from viruses. If you are interested, send a mail to Doug Thompson at doug@isishq.math.waterloo.edu. ========================================================================= Date: Sat, 20 Aug 88 14:16:15 +0100 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Stefan Parmark <tmpspa@EUA4.ERICSSON.SE> Subject: Nomenclature needed I feel that the term 'virus' is being used too often when one really means something else. I think it is important that there is a term which will cover worms, viruses, Trojan horses and bacteria. As a general term I would like to propose 'infection'. I am not a biological expert, so perhaps some other word would be better. The important thing is that when anyone says 'virus' we know what he means. /Stefan Parmark ========================================================================= Date: Sat, 20 Aug 88 09:03:14 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Sieczkowski <joes@SCARECROW.CSEE.LEHIGH.EDU> Subject: RE: Hiding a virus between disk sectors In-Reply-To: ZDABADE@VAX1.CC.LEHIGH.EDU's message of Fri, 19 Aug 88 19:38:00 EST <8808192346.AA26896@scarecrow.csee.lehigh.edu> I really can see the practicality of viruses hiding in between sectors. For one there isn't much room, maybe space for several bytes, no more. The virus would have to be careful not to overwrite the following sync mark or make the next sector unreadable by DOS. Finally, there would have to be a sophisticated program to read the data between sectors, concatenate the information (ie the virus), and then execute it in memory. Since this sopisticated program is not a part of DOS, and since it itself could not be hidden between sectors, the point of putting a virus in between sectors is moot. Joes ========================================================================= Date: Sat, 20 Aug 88 09:20:16 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe Sieczkowski <joes@SCARECROW.CSEE.LEHIGH.EDU> In-Reply-To: Kent Cearley - UMS - 492-5262 's message of Thu, 18 Aug 88 14:47:00 MDT <8808182056.AA24237@scarecrow.csee.lehigh.edu> Subject: Debate >Has anyone explored the concept of expert systems regulating security? >Perhaps implemented like regression testing in software engineering, >i.e. it familiarizes itself with the 'typical' activity of a system... >quantitatively e.g. avg disk writes for program 'x', free memory, >non-data sector reads/writes, maybe feature analysis techniques, >suspending activity in anomalous situations I beleive AT&T's new version of secure Unix will do somthing like this. Although I am not affiliated with the company perhaps someone reading this is and can confirm and expand on this. Joes ========================================================================= Date: Sat, 20 Aug 88 18:12:15 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Can't get log8805 In-Reply-To: Message of Sat, 20 Aug 88 14:13:18 +0100 from <tmpspa@EUA4.ERICSSON.SE> Ken, Stefan is not the only one who has had this problem with log8805. I requested it and haven't received it also. I've been reading back through the old logs and have successfully received all the other ones. Jim Marks ========================================================================= Date: Sat, 20 Aug 88 18:31:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: LOG8805 retraction I spoke too soon about not being able to receive the 8805 log. After sending my previous reply, I found the subject log waiting in my reader list. It WAS quite large; that is probably why it takes quite a while to move through the network. Jim Marks ========================================================================= Date: Sun, 21 Aug 88 15:20:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Hiding a virus between disk sectors > >I really can see the practicality of viruses hiding in between >sectors. For one there isn't much room, maybe space for several >bytes, no more. The virus would have to be careful not to >overwrite the following sync mark or make the next sector unreadable >by DOS. Finally, there would have to be a sophisticated program >to read the data between sectors, concatenate the information (ie >the virus), and then execute it in memory. Since this sopisticated >program is not a part of DOS, and since it itself could >not be hidden between sectors, the point of putting a virus >in between sectors is moot. > >Joes I've been playing around with my Options board and found that there is at least 50K of characters that I can string together between sectors on the 40 tracks of a 360K IBM floppy. (There is probably twice that much data room available, but then it might interfere with the buffers of data on the physical disk for marking where a sector begins and ends and the sector type bytes(good, bad, etc.). Would it not be trivial for someone to write a small useful utility (or take an already existing one) that a lot of people might use, and tack on the data to propogate this type of virus? How would the detection of this virus have to change from already existing techniques? File size changes wouldn't be that evident because the virus would be hidden on a non-counted part of a dsik, and the virus carrier program would still be the same general size with just a jump to the virus code... Any ideas out there? David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Sun, 21 Aug 88 17:06:50 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Robert Slade <USERCE57@UBCMTSG> Subject: Viral information file Regarding the request for an archive of virus message information, I have been collecting and distributing such for some time, predating the existence of VIRUS-L. As explanation, herewith (and I appologize for the length) a recent submission to RISKS-FORUM. (Also, regarding the recent request for the first virus, I seem to recall one person mentioning that he wrote one for the Apple in about 1979. It's in the file somewhere.) One other thing. The file has now passed 700K. Multiple floppies would be a good idea. =================== Following my recent reposting of the directions for the "Virus file" (and pursuant to Chip Copper's attempt to establish a "Center for Virus Control"), I received the following message: Subject: Virus collection??? From: JKILLY@BINGVMB Hello--I saw your posting of a set of collected virus messages in RISKS, and I just had to respond. Please forgive, but are you for real? This sounds like you're dispensing hellish little packages of unadulterated evil! If the "collection" is so interesting, why don't you upload it and distribute it in a format that is not so inherently threatening? A person would have to be nuts to put your 5.25" diskette in any micro (I guess some clean shop that destroys units on a good day might find it acceptable). I'm not mad, just curious: What *is* the point of distributing this stuff on diskette? Thanks very much for your response. --Jake There seem to be two issues to address here. One is the already well addressed theme of whether or not you talk about matters relating to security. I generally come down on the "let-the-users-know,-and-chance-it- on-the-hackers" side of the discussion. In the case of viri, the users are everywhere, and (as has been ably pointed out by others) society in general is going to be affected by the mere *existence* of virus programs. So, I am compiling and distributing the material. Second issue: *what* am I compiling. First off, I am not collecting and distributing virus programs themselves (so you can give up on the requests "Ultimate_Hacker", and sorry, Chip, I wish I *could* help.) The file is a collection of messages from RISKS-FORUM, INFO-MAC, INFO- IBMPC, VIRUS-L, Computers and Society Digest and various text postings on private bulletin boards. *All* the material is therefore readily accessible; I am simply trying to save time for those who are trying to work in this area. Simply collating all the material is taking several hours per week, and I have not yet had time to edit it all. The bulk of the material is from RISKS. The topics I select for are those announcing or analysing new viri, those suggesting virus protection schemes (and critiques of those suggestions), opinion pieces on the implications of viri and some messages on related security matters (such as the recent discussion of "block mode" on terminals.) The total size of the file is now in excess of 700K, and is being sent out in archived form. (The current archive breaks out into two files, MASTER1.VIR and MASTER2.VIR.) I suspect that by the time you read this, the total file will no longer fit on a single disk, even archived. FTP is not available from UBC, and I am not going to send out a 700K+ file out as one or more message(s) on a daily basis. Future editions of this file can be obtained by sending a PC formatted disk in a (Canadian) stamped, self addressed mailer to: Robert M. Slade, 3118 Baird Road, North Vancouver, B. C. Canada V7K 2G6 I hope this goes some way to allaying Jake's fears. Prudent caution would appear to be very healthy in our current environment (although I would think you could find *some* way of testing what you receive from unknown sources.) Disclaimer: ... ah, what's the point. Nobody'd believe it anyway ... P. S. - Herewith a local virus warning from a ways back ... --------------------- From: Greg Slade Rec'd To: All Msg #55, 13-May-88 12:17pm Subject: *** Warning *** From: Steve Fairbairn To: All Msg #162, 29-Apr-88 03:14pm Subject: TROJAN **** ALERT **** * Original: FROM.....Tom Sirianni (153/4) * Original: TO.......All Sysops (153/102) * Forwarded by.......OPUS 153/703 * Original: FROM.....Tom Sirianni (105/301) * Original: TO.......All (105/301) * Forwarded by.......OPUS 105/301 To All: New TROJAN has hit Portland, Oregon. Two CONSULTANTS who use TURBO PASCAL were using a program called: D-XREF60.COM the program was originally from a PC-SIG library in California but it may show up on the local BBS's. **** BEWARE **** This program is supposed to be a cross reference program for Pascal programmers it does what it says PLUS it randomly deletes file names from the DIR then it all at once scrambles the FAT. Authors name? The infamous DORN STICKLE! Poor boy is really getting blamed for a bunch of stuff. At any rate be careful of this one. I repeat this is a verified TROJAN. This messaage maybe TRANSPOSED to the PUBLIC to help the average User defend him/her self. Tom Sirianni of 105/301 --- ConfMail V3.31 * Origin: SCP Business BBS * This WOC's PC-Pursuitable 1-503-648-6687 (1:105/301) From: Charles Howes To: All Msg #184, 06-May-88 10:48pm Subject: novirus.arc I suspect, after having my system quit, that NOVIRUS.ARC is in fact a virus. My hard disk just wouldn't boot. I couldn't figure out what was wrong, so I copied off only necessary files and then reformatted in dos 3.3. About the only good thing I can say about the program is that it got me to upgrade to 3.3 from 3.1. Whoopee. The above were posted on Dial-A-File. I cannot comment on the content as I have never used either program, but I would advise caution on the part of those who come into contact with them. Greg?========================================================================= Date: Mon, 22 Aug 88 07:35:47 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Hiding a virus between disk sectors In-Reply-To: Your message of Fri, 19 Aug 88 19:38:00 EST > What would the theory be > behind putting a virus in between sectors? If there's physical space there, then I'm sure that it can be done. You have to remember a couple things though. First, the virus would need some "bootstrap" code that would have to reside in a program(s) which is accessible to DOS, or else the space in between sectors would be ignored. Also, the virus would become very hardware specific. Certainly floppy disks and hard disks (yet alone different models of hard disk controllers, etc.) have different physical characteristics in this regard. Imho, the bottom line is that writing such a virus would not be feasible, or at least cost (of time) efficient. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Mon, 22 Aug 88 11:09:25 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Virus insurance Recently, on the RISKS forum (I believe), there's been some discussion about virus insurance. Specifically, about how corporations are seeking virus clauses in their computer security insurance policies. The posting said that at least one (insurance) underwriter has started specifically rejecting any virus coverage at all. The insurance companies seem to feel that they need to learn more about viruses before being able to insure against them. Apparently it could cause security policies to specify much higher deductibles, etc. I thought that it could be an interesting topic for discussion... Any thoughts? If *you* were representing an insurance company, would *you* want to recommend insuring against viruses? Of course, this would not be limited to PCs and/or mainframes. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Mon, 22 Aug 88 07:54:16 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: distribution By the way, the distribution of this list has been really weird at my end lately; I've been getting postings WAY out of order, like days. My node seems to be served by some other site now; I don't know if that's the problem. Maybe it's just the size of the postings. Anyone else having major weirdness lately? - Jeff Ogata ========================================================================= Date: Mon, 22 Aug 88 13:54:53 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: distribution In-Reply-To: Your message of Mon, 22 Aug 88 07:54:16 EDT > By the way, the distribution of this list has been really weird at my end > ... > major weirdness lately? BITNET, being store-and-forward, gives smaller messages priority over larger ones. That could possibly explain the ordering problems. The list should still be served by LISTSERV@LEHIIBM1.BITNET unless you're on a local redistribution list. We are, however, slowly looking to pick up a peer LISTSERV or two sometime in the future. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Mon, 22 Aug 88 15:25:06 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Viruses Between Sectors A few weeks back, Joe, Chris Bracy and I were all called out to California to test a new anti-viral package of a company which none of us have anything to do with (That company will remain nameless). They asked us to put their package through the ringer and see if we could figure out a way to get a virus through all their defenses. We found several. One of the ideas we kicked around, which had been conceived by some of Fred Cohen's students a few years ago, was hiding a large part of the viral code in between sectors. We wouldn't have to specify that sectors were bad, or change file sizes or anything that a program might catch. A program can't really check between sectors because its unsure of what would be there. The virus would still have to be a boot sector virus or hide in an executable or so on. We felt the best combination was to have the virus attack the boot sector. This would be a difficult virus to work with and a difficult one to write, but not impossible by any means. The real problem is that we are very limited in space, although we can point to each of the between-sector areas. Remember that viruses can hide anywhere. On old Apple II's, we've heard of viruses being able to be hidden in memory other than the main memory, little pieces hidden around the system. There is no easy way to check for code in these sectors other than mapping them and CRCing whatever junk might be written there, and checking it periodically, but this is unreliable. Its far easier to watch for the main program in the boot sector, executables, memory, BIOS and so on. Loren ========================================================================= Date: Mon, 22 Aug 88 16:10:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: NEWTON@NBSENH Subject: Mail Order Yes. I had a dry spell for a few days, then came in this (Monday) and had *82* mail messages waiting--mostly from virus-l. ========================================================================= Date: Mon, 22 Aug 88 03:38:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: computer functionality b/w timed virus attacks The idea of a box that computes only one function certainly falls within the definition of a computer. Every computer I ever met satisfies that one. Any computer with finite memory is only capable of computing one function: executing its machine code with finite input and environment. Each program is merely a point in the domain of the function of the computer. After all, to a computer, programs are the real input. Data is just junk for the programs to munch on. When viewed from this perspective, the problem of computer infection becomes: how can a program alter the computer's actual input (programs)? In general, computer programs map some language expressed in the form of data into the domain of the computer's execution function. As such, most data can be viewed as a program running on a virtual machine being emulated by the program actually running on the computer. In the case of interpreters and compilers, the language of the data may be suffic- iently rich for data infection to propagate. But usually the data does not have sufficient semantics to alter other programs or data. Punching the keys on a calculator or microwave are types of data that fall into the latter class. Generalizing the idea a bit, we can see that any computer program is a simulator for some virtual machine. Almost every one of these virtual machines is a more limited machine than the actual computer it is being simulated by. (Possible exceptions: compilers, interpreters, assemblers.) So the idea of exploiting limited functionality for virus prevention is inherent in the use of computer programs. Virus infection from the data angle is never likely to be a problem because it is too difficult compared to good ol' code infection. How do you devise data that makes your accounting package crash your hard disk? And if you CAN, how can it propagate? The virtual machines provided by most computer programs are too limited to be infected. My theory is that virus attacks will almost invariably come from code- altering techniques. If so, calculators, microwaves, and security doors will always be safe because their actual data (code) is permanent and unwriteable. Also: Somebody put forth this scenario earlier: Timed virus crashes a system; Staff loads last dump; Dump crashes system too; Staff loads older dump, etc. until successful. By this time system has lost months of work. Not so; the appropriate response to such a virus attack is to perform the previous actions until a working system is found, then to reset the system clock to sometime in the past and reload your last dump. The recent work can then be salvaged (mostly, hopefully). Even if the virus is counting executions of itself for timing, tape archive formats usually allow selective retrieval of data; once a successful system is found, the latest data can be undumped and cleaned up. - Jeff Ogata ========================================================================= Date: Tue, 23 Aug 88 00:41:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Virus Immunizer Add Here's a card that I got in the mail that might prove interesting: PREVENT COMPUTER VIRUSES IMMUNIZE (TM) YOUR PC!!! If your computer can talk to the outside world (modems, floppy swaps, etc...), it can also be infected by a "computer virus" planted by an unscrupulous hacker. IMMUNIZE can prevent almost any type of virus from inhabiting your machine, regardless of the method used for infection. IMMUNIZE is available for $99.95, with this card only (regularly $149.95), and comes with an UNCONDITIONAL GUARANTEE! We will refund your money at any time in the next FIVE YEARS if you are unsatisfied, FOR ANY REASON WHATSOEVER. For further information, or to order IMMUNIZE, CALL TOLL FREE (800) 825-6600 Remote Technologies A Missouri Corporation 3612 Cleveland Avenue Saint Louis, Missouri 63110 --------------------------------------------------------------------- This is NOT a plug for this company, only a discussion. What do you all out there think about a company that promises so much??? David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Tue, 23 Aug 88 02:37:15 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve <XRAYSROK@SBCCVM> Subject: Openness; Viruses and Software Companies; Insurance I can understand trying to keep virus-writing technology under wraps, because if no one understands how to write a virus, there probably won't be any viruses. But it's too late. The concept is already out and its feasibility has been amply demonstrated. It's naive to think that I or anyone else couldn't write a virus without 'details' supplied from someone else (the 'details' are already there and freely available in the form of programmer's manuals). I personally don't feel I would need *any* help writing a virus if that's what I set my heart on doing (but I don't want to and I have better things to do). On the other hand I think that the fewer people there are who understand the guts of viruses, the fewer there will be who will write anti-virus programs. I may be wrong, but I think you need to know more to write an anti-virus program (like what viruses are out there and how they work) than you need to know to write a virus. As far as the origins of PC viruses are concerned, one has to ask if there is anyone out there who can reap financial gains from viruses. The answer is yes. Companies that sell software are competing with freeware. If they can make people afraid of freeware (because of risk of virus infection), then they can sell more software (including the antidote for particular viruses, including any they may have written and released themselves in trojan-horse freeware or apparently pirated versions of their own software). Would a software company resort to such tactics? What are the risks of such a company getting caught by someone tracing trojan-horse freeware back to it? About virus insurance... I tend to think of insurance companies as only slightly better than virus-writers. Because viruses are so new and because it's so hard to predict what the future holds in the way of new and innovative viruses I would expect the rates to be astronomical, with how astronomical depending on what the machine was being used for and what you expected the insurance company to protect you from (financial loss due to loss of records [*that* could get expensive!]? the cost of having your system cleaned and up and running again after a virus attack?). However, the rates would undoubtably improve significantly if the insurance company imposed on the insured the simple common-sense hygiene of the type that Ken recommended (rotating backups, etc.), which I think is by far the best insurance, and/or imposed virus detection/prevention measures. Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Tue, 23 Aug 88 08:01:38 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Virus Immunizer Add In-Reply-To: Your message of Tue, 23 Aug 88 00:41:00 EST > comes with an UNCONDITIONAL GUARANTEE! We will refund your money at any time > in the next FIVE YEARS if you are unsatisfied, FOR ANY REASON WHATSOEVER. Pretty impressive claim, if they can stand behind it, and if they exist five years from now... > This is NOT a plug for this company, only a discussion. What > do you all out there think about a company that promises so much??? It's a good topic of discussion, but I would have preferred it if no specific company names were mentioned. I'd appreciate everyone's cooperation on keeping this, and other future discussions, non-commercial - please. This list originates on BITNET, and we must adhere to their non-commercial guidelines. Thanks. Anyway, I'm always a little bit wary of companies that promise the world, as it were. I'd be willing to bet that the fine print in the product's manual (if there is one) was a little bit more, er, specific than the add that you got in the mail. Perhaps not, but that would certainly be the exception, not the rule. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Tue, 23 Aug 88 08:10:43 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 02:37:15 EDT > As far as the origins of PC viruses are concerned, one has to ask if > there is anyone out there who can reap financial gains from viruses. Of course! Let's remember that a virus need not be overtly destructive; it may merely wish to alter data, or perhaps even extract data. A hypothetical scenario could be: company A wishes to give competitor company B a bad name, so they covertly release a virus which infects company B's product - not to destroy it per se, but to have it give intermittently incorrect results, thereby destroying its credibility. Ken ========================================================================= Date: Tue, 23 Aug 88 09:03:59 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 13:54:53 EDT from <luken@SPOT.CC.LEHIGH.EDU> Anyone who has been running with the University of Chile as their closest backbone server may have noticed bizarre things lately. There were some problems; the newest node list changes the weights of the link to try to keep North American mail from going to South America first (and getting delayed). --- Joe M. ========================================================================= Date: Mon, 22 Aug 88 21:00:00 SST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ANYONE@ISS.NUS.AC.SG Subject: REFERENCE TO PUBKEY MAILING LIST A RECENT VIRUS-L MSG MENTIONED A PUBLIC KEY CRYPTO MAILING LIST. I TRIED TO MSG THE NAME THAT WAS QUOTED AND GOT MY MSG BOUNCED. ANYBODY HAVE ANY FURTHER INFO ON PUBKEY??? /JC ON JIM@ISS.NUS.AC.SG ========================================================================= Date: Tue, 23 Aug 88 09:12:43 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Message of Tue, 23 Aug 88 02:37:15 EDT from <XRAYSROK@SBCCVM> On openness: I agree that there are people who are intelligent enough to write viruses without help. However, it is pretty much certain that the nVIR Mac virus was created by someone who took the "sample virus" from CompuServe and turned it into a real nuisance. On viruses and software companies: We can even go better than Company A trying to discredit Company B; the Scores virus was apparently constructed specifically to damage and discredit a program or programs wriiten for some unnamed government installation by a disgruntled employee. --- Joe M. ========================================================================= Date: Tue, 23 Aug 88 10:06:25 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Administravia Several readers have pointed out to me recently that they've been receiving two (or more) copies of VIRUS-L mail. I've just confirmed that Lehigh's mailer is only sending out one copy of each mailing, so some gateway or other node along the way must be doing some selective duplication. Hopefully, the situation will be cleared up in the near future. I apologize for any inconvenience. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Tue, 23 Aug 88 10:11:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "William A. MacDonald" <O1BILL@AKRONVM> Subject: virus info I would like to recieve information on viruses. A student here at Akron is working on a report and I read some of the listings he recieved from this listserver. The topic was very interesting and so I would like to recieve all the listings that I can so that I may read them when I can. thank you. Bill MacDonald ========================================================================= Date: Tue, 23 Aug 88 13:36:51 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Releasing viruses > As far as the origins of PC viruses are concerned, one has to ask >if there is anyone out there who can reap financial gains from viruses. >The answer is yes. Companies that sell software are competing with >freeware. If they can make people afraid of freeware (because of risk >of virus infection), then they can sell more software (including the >antidote for particular viruses, including any they may have written >and released themselves in trojan-horse freeware or apparently pirated >versions of their own software). Would a software company resort to h > such tactics? What are the risks of such a company getting caught by >someone tracing trojan-horse freeware back to it? This is an interesting origin of viruses. I have heard of this type of virus/trojan horse in a specific case (which I won't mention because it might discredit the company associated with it more than necessary). Incidently, the bad code WAS traced back to the original company because their company name and phone number were located in the executable code... (How's that for doing something stupid??) Anyway, what do *you* think about the idea that software firms might be releasing damaging code in order to discredit other packages and increase their sales while wreaking havoc on *our* machines?!? Do *you* think that this mentality is incorporated into the scheme of selling more software??? David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 13:39:40 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Anti-Viral Package Claims The company who made the claim of money-back for 5 years isn't stupid by any means. Do you know the percentage of people who actually send for their money back is incredibly small. Its a selling gimic. Besides, a company can set itself up as an S corporation, sell a lot of product, declare bankrupcy and disappear and you can't go after any member of that company with a lawsuit. Also, I agree this is not a place to sell products, but I still think we should mention names of some products so we know what really has problems, like the flushot bugs that have marred it over the past few months. Loren ========================================================================= Date: Tue, 23 Aug 88 13:49:58 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Flushot bugs >Also, I agree this is not a place to sell products, but >I still think we should mention names of some products so >we know what really has problems, like the flushot bugs >that have marred it over the past few months. Speaking of Flushot bugs... Hasn't *ANYONE* out there tried FluShot Plus 1.4??? I am having one type of problem with it (bug?), but because no one else out there tries such software, I am not sure if it is a *major* bug that everyone is experiencing, or just my bug. The only problem that I have encountered since using it for almost a month is that when I read a floppy disk (and only about 80% of the time) I get a TSR screen from FSP+ telling me that CMOS is being changed. Question: Does anyone know if reading a floppy drive DOES in fact change CMOS memory in an AT??? David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 13:53:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Anti-Viral Package Claims In-Reply-To: Your message of Tue, 23 Aug 88 13:39:40 EDT > Besides, a company can set itself up as an S corporation, > sell a lot of product, declare bankrupcy and disappear and > you can't go after any member of that company with a lawsuit. Sad, but true. > Also, I agree this is not a place to sell products, but > I still think we should mention names of some products so > we know what really has problems, like the flushot bugs > that have marred it over the past few months. Product names in the context of objective reviews from people with no vested interest in the product is perfectly acceptable. Reprints of advertisements, however, must be discouraged. On another note, I believe that the mail duplication problem reported earlier is isolated to BITNET. If anyone reading this is getting multiple copies on Internet (or elsewhere), please take a look at your message header. Is it going through the ARPA gateway at CUNYVM? If so, then the message is travelling through BITNET for a short distance before hitting the ARPAnet/Internet and the problem would be isolated between here and CUNY. If someone on the ARPA/Internet who is getting duplicate messages could send me a copy of one of their mail headers, I'd appreciate it. If someone on ARPA/Internet could confirm to me that they're *not* getting multiple messages, I'd appreciate that too. Networks are great...when they work. Heavy sigh. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: <luken@Spot.CC.Lehigh.EDU> house?!!! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Tue, 23 Aug 88 13:55:47 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: In-Reply-To: Poster of 23 Aug 88 EST from ZDABADE at VAX1.CC.LEHIGH.EDU From: Otto Stolz +49 7531 88 2645 <RZOTTO@DKNKURZ1> Subject: Virus Immunizer Add > GUARANTEE! We will refund your money at any time So, what do they promise at all: that they will give back what they've taken from you before -- and only if you take the pains to write to them. Let's suppose that the refunding will cost them 10 bucks (for banking charges, man power, perhaps a diskette lost). Then they will still prosper, if at most 90% of their customers want the money back. > if you are unsatisfied, FOR ANY REASON WHATSOEVER. And from the reasons you state, they will gain insight on how to improve their product. Otto ========================================================================= Date: Tue, 23 Aug 88 14:00:56 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: The Yale Virus - Revealed Okay, We've spent the last few hours going over the Yale virus (Actually, Chris Bracy is still playing with it right now!) and we've come up with some preliminary conclusions. It isn't the Brain virus. At least as far as it isn't the code that WE have that is called the Brain virus, and I believe we have the original form. I think its an act-a-like. Someone tried to recreate the virus without having the original to study from. Its a boot-sector virus which infects both system and data disks. It infects only on boot-up. If you cold boot an infected disk, it loads the virus; if you then warm boot the machine, it infects whatever is in the A: drive. If the disk in the A: drive is already infected, it does nothing. It traps Int 9 and Int 19. Int 9 is the keyboard interrupt and Int 19 is the reboot interrupt. When it infects the disk, it copies the original boot sector to sector eight (the ninth sector). It also traps <ctr> <alt> <I> (the key configuration that changes the number of lines on a screen). There is also a section of code which is an exact format of 1 track of a disk, EXCEPT the Int 13 isn't there, so this section of code never does anything. Also, there is a generation counter. I believe this is an early version of a virus that someone planned to release. I'm not sure if the final version was released, and I'm not sure this virus is limited to Yale. I don't believe it is limited to Yale. I believe that the final version of the virus, after a period of time, would trigger itself to reformat someone's disk tracks. As we finish going over the code, we'll be back to you with any new info. Loren Keim and Chris Bracy ========================================================================= Date: Tue, 23 Aug 88 14:10:56 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Viruses in the Mail I'd like to thank everyone to date who has sent me copies of their particular viruses. Its interesting to go over them and try to figure out if they are advanced versions of other viruses floating around out there that we may be able to stop. For anyone sending them to me in the future, however, please LABEL them as viruses. Receiving brown paper wrappers of unlabelled disks in the mail is scary. Recently when Yale sent me some material to look at, they marked the disk "BAD VIRUS - DO NOT BOOT". That was great, and one of the few times someone has marked it for me. We generally place viruses on red disks and put a "Mister Yuck" sticker on them as well as labelling them viruses. Its easier to separate them. In the future, its dangerous to be sending viruses around, so we do discourage it, BUT if anyone wants us to work on theirs (this is not an ad, I don't get paid for it) I'd like to change the address they've been going to. Send them to P.O. Box 2423, Lehigh Valley Pa, 18001. This will make it easier for me to separate what are viruses and what are not. Also, if you send me something, please send me some background information, "I found it ____, and it infected ___ disks, on ___ date" or "I wrote this for you to look at" and so on. I've found a lot of programs that I can't trace back anywhere because all I've gotten is a disk and a postmark. As for sending disks around, we can better control who has copies or reviews the virus in a conference situation, so I'd prefer people see them there. I don't intend on sending out copies of the Lehigh Virus or the Brain Virus (which I've received NUMEROUS calls for) unless you are "okay'd" by the government or have a real need for something. Otherwise, we can discuss it at the conference. Thanks, Loren Keim ========================================================================= Date: Tue, 23 Aug 88 14:12:15 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Computer Law Some legislation regarding computer security that people may want to check on: Public Law 93-579 Privacy Act of 1974. Goldwater-Koch Bill (HR 1984) Loren Keim ========================================================================= Date: Tue, 23 Aug 88 14:08:11 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Mail Order In-Reply-To: Message of Mon, 22 Aug 88 16:10:00 EDT from <NEWTON@NBSENH> I, too, have been getting unusual distributions. Just now, I got second (at least) copies of 3 entries from last week (from Ken, Amanda Rosen, and Loren). I don't know what mailer is doing this. I believe I get my stuff straight from the mailer at LEHIGH, but I don't really know how all the distribution works. ========================================================================= Date: Tue, 23 Aug 88 14:32:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Yale Virus Correction Excuse me, I didn't fully explain where the boot sector was put by the Yale Virus. It is put on Sector 8 of Track 40, EVEN if it is an 80 track disk. Even more interesting is that it doesn't mark this sector as being bad. If something is in this sector, it doesn't check, it just writes right over it. Loren ========================================================================= Date: Tue, 23 Aug 88 13:38:01 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Claudia Lynch <AS04@UNTVM1> Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 07:54:16 EDT from <OGATA@UMDD> I, too, have had strange things happening with my mail from the virus list. In my case, I have been receiving duplicates of things. Any thoughts on this matter? Claudia Lynch Academic Computing Services University of North Texas Denton, Texas ========================================================================= Date: Tue, 23 Aug 88 15:05:41 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Scary Fact about the Yale Virus Here is something that should scare people about viruse propogation. The version of the Yale virus that we have tells us that it is the 15th generation of the virus. There is a counter that keeps this information. (The value of the counters found at Yale were 212 through 215). Figuring that each copy made 2 of itself and knowing how it figures out its own generation, the number of copies out there is about 15 2 which translates into an aweful lot of copies of this virus if these figures are correct, and means that Yale was not the first place to encounter this virus. A way to tell if you have the virus, when you warm reboot, the screen is set to 40 column mode for a split second. Watch for it folks, Loren ========================================================================= Date: Tue, 23 Aug 88 16:22:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Chris Bracy <KCABRAC@VAX1.CC.LEHIGH.EDU> Subject: Slight correction on Yale Virus. The generation on my disk is 15 hex not decimal. Also the note I saw said they didnt find any earlier than 12H. This would seem to indicate that either it didnt start at 0, or there is a good chance it didnt start at Yale. We're interested in finding out more about where it did come from, so here are some specifics on spotting it... On computers with CGA adapters on a warm boot when it infects a disk (or attempts to infect and doesn't) it will put the screen into 40 column mode for about a second (on an 8Mhz PC). The generation count is a word located at 1F8 into the code. (Into the boot sector). Also it doesnt overwrite (re-infect) itself. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* ========================================================================= Date: Tue, 23 Aug 88 16:28:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Re: Viruses in the Mail >As for sending disks around, we can better control who has >copies or reviews the virus in a conference situation, so I'd >prefer people see them there. I don't intend on sending out >copies of the Lehigh Virus or the Brain Virus (which I've received >NUMEROUS calls for) unless you are "okay'd" by the government >or have a real need for something. Otherwise, we can discuss >it at the conference. > >Thanks, > >Loren Keim How can you ask for an OKAY from the government on people??? Who okay's you to receive these viruses? Living in the same city as you, it scares me, and the rest of the computing vicinity, that these viruses are being so uncarefully handled. I just hope that my brother hasn't used any floppy disks that you might have handed him in conjunction with my computer.... If you *really* wanted to educate us, you would make a fact sheet about *all* the viruses you know of (containing infection schemes, sizes, generations, geographical siting, detection of, remedies, etc.) and let the discussion list add to it. Also, what is the synopsis of Goldwater-Koch Privacy Act?? If you like, I have pages and pages of government document references on computer security type subjects and maybe we can compile a "government revue" on viruses and such together. David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 18:13:04 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Virus Immunizer Add In-Reply-To: Message of Tue, 23 Aug 88 00:41:00 EST from <ZDABADE@VAX1.CC.LEHIGH.EDU> Well, that is certainly a pretty impressive CLAIM. However, after reading (usually passively) a good deal of the postings here on the list, I would tend to think it a little optimistic. Of course, it is hardly the first such claim in computer software advertising. At $99, I would hope the program would be fairly sophisticated and useful in preventing many (or at least some) viral infections. However, I believe that ANY security scheme can be broken with enough effort. About the only ABSOLUTE security (if there is such a thing) wwould be physical security of the system, with only the use of material (program OR data) which had been verified to be virus- (or other type bug-) free. And that even probably isn't possible. As for the liberal money-back guarantee: it may be good, but it is only as good as the company. In other words, it can be like the "life-time" member- ship to the health spa that goes out of business 6 months after you join; the problem is in the definition of "lifetime". ========================================================================= Date: Tue, 23 Aug 88 19:05:53 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Anti-Viral Package Claims In-Reply-To: Message of Tue, 23 Aug 88 13:39:40 EDT from <LKK0@LEHIGH> That is a good point about whether the money-back guarantee is really worth anything. The redemption rate on such guarantees is, I believe, quite low in most all fields. The computer software field is probably no different. As to the lifetime of computer software firms, we KNOW that this is in many (probably most) cases quite short. Therefore, there is a good chance the firm won't be around for 5 years. As to selling software here; it is not appropriate. What IS appropriate is for users of software reporting (positively or negatively) on how it performs. Of course, its human nature that we usually hear more of the negative. (Or it could be just that there IS more negative when it comes to the vast array of software). ========================================================================= Date: Tue, 23 Aug 88 19:58:56 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Controlled Study of Viruses David Bader: > Living in the same city as you, it scares me, and the rest > of the computer vicinity, that these viruses are being so > uncarefully handled. I am very offended. We take the utmost care in isolating virus programs and in studying them. We set up a computer in my Coopersburg office (which you should be familiar with) which is connected to nothing whatsoever so that we can play with them in a controlled environment. We have no programs on disk there, and nothing gets transfered from there so there is no risk of propogation. I debated whether to send this directly to David or to the entire list, and I feel that the list should know that we NEVER compromise on security. I had just gotten through explaining that some of the people who have submitted viruses to us should be more careful about how they are sent, and that we will not give out copies of the Lehigh virus or Brain virus, and you tell me that the computing vacinity is scared of me? I just want to make sure that no one accuses me of the same thing Fred Cohen has been accused of countless times. I do not test viruses on public machines, only dedicated machines which are connected to NOTHING whatsoever. > If you *really* want to educate us, you would make a fact > sheet about *all* the viruses you know of (containing > infection schemes, sizes, generations, geographical > siting, detection of, remedies, etc.) As I said about two weeks ago on this list, and we discussed it at length, I am putting together such a list. One of the reasons we are getting viruses in the mail is because people are helping me to add to the list. We debug them, figure out what makes them tick, compare them to similar viruses and do a write up on them for the list of viruses. Unfortunatly, this list is taking longer than anticipated. Once again, however, I would like to ask anyone to send me information about their virus sitings, please be specific. Please forgive the rather angry tone, I don't like being accused of viral propogation... at least not after all the work I have gone through to make certain nothing propogates. Loren ========================================================================= Date: Tue, 23 Aug 88 21:05:57 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: REFERENCE TO PUBKEY MAILING LIST In-Reply-To: <QUCDN.X400GATE:LUirqLW7*> >A RECENT VIRUS-L MSG MENTIONED A PUBLIC KEY CRYPTO MAILING LIST. >I TRIED TO MSG THE NAME THAT WAS QUOTED AND GOT MY MSG BOUNCED. >ANYBODY HAVE ANY FURTHER INFO ON PUBKEY??? > >/JC ON JIM@ISS.NUS.AC.SG Yeah, I had the same problem. Maybe if the author of the original item is reading these notes, then they could help out. Was the address a BITNET address, or what? David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Tue, 23 Aug 88 21:07:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: Openness; Viruses and Software Companies; Insurance In-Reply-To: <QUCDN.X400GATE:LUg9KGgJ*> > As far as the origins of PC viruses are concerned, one has to ask if >there is anyone out there who can reap financial gains from viruses. >The answer is yes. Companies that sell software are competing with >freeware. If they can make people afraid of freeware (because of risk >of virus infection), then they can sell more software (including the >antidote for particular viruses, including any they may have written and >released themselves in trojan-horse freeware or apparently pirated >versions of their own software). Would a software company resort to such >tactics? What are the risks of such a company getting caught by someone >tracing trojan-horse freeware back to it? > > >Steven C. Woronick >Physics Dept. >SUNY @ Stony Brook >Stony Brook, NY 11794 What an evil thought, which means there's a good chance it's happened at least once. Talk about your market forces... David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Wed, 24 Aug 88 00:30:01 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: Computer Virus Research Is the academic based research of computer viruses a big thing in the States? In Canada? Anywhere? By "academic based", I mean is there a specific portion of a university computing science department devoted to unravelling the code of these things, inventing security measures to prevent their spread, hiring graduate students to write/examine them, applying to major industries for grants to combat them, and so on. Just curious. If this violates national security or something, then you don't have to tell me. Is Lehigh like this? All the contributors have obviously been exposed to the Lehigh virus or know of it. David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Wed, 24 Aug 88 01:36:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add When you discuss a package such as the IMMUNIZER for a hundred bucks, how can it have as much sophistication and road testing as FluShot (for free)??? And we *know* how many problems Ross Greenberg has had with getting FSP to work with ALL types of systems... David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 01:42:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Controlled Study of Viruses Loren, You seem fine with a word processor, but how do people *really* know that what you say is true and that you would *never* spread a virus??? I mean sending an unknown person a lot of viruses is a potential for danger. I know you and know that you would never release a virus on any system, but can you see the situation that would arise if someone else out there also got a copy of the viruses "to study" but instead had other plans for them! As it stands, sending you viruses HAS to be a weak link in security because I doubt that most of the places sending to you have even met you in person. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 01:49:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Computer Virus Research >Just curious. If this violates national security or something, then >you don't have to tell me. Is Lehigh like this? All the contributors >have obviously been exposed to the Lehigh virus or know of it. I assume that most of the Lehigh students, graduates, and staff members at Lehigh University who subscribe here are interested in the Lehigh virus because it was a new curiosity for us to explore. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 14:04:06 MEZ Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Konrad Neuwirth <A4422DAE@AWIUNI11> Subject: Question i have a question just out of curiosity. Whaat happens if i have a virus (not knowing it), and a secund virus comes to infect the system, too ? Do I get virus wars? Does one kill the other ? do both work on my system and kill it? Do both write themselves on new disks? thank you /konrad ========================================================================= Date: Wed, 24 Aug 88 08:19:54 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Question In-Reply-To: Your message of Wed, 24 Aug 88 14:04:06 MEZ > i have a question just out of curiosity. > Whaat happens if i have a virus (not knowing it), and a secund virus comes > to infect the system, too ? Do I get virus wars? Does one kill the other ? > do both work on my system and kill it? Do both write themselves on new disks? That all depends on how the two viruses function. For example, if one of the two viruses infects the boot track and another appends itself onto executable files, then it's certainly possible to have two active viruses on one system. Each one would act independently of the other. If they both infect the boot track, however, then the results would depend on how "well" each virus is written. That is, if they go to great extremes to make sure that the existing boot track is stored in an unused place, and that it gets executed normally, then it's possible that both would function normally. It would seem more likely, however, that the end result would be a no-longer-bootable disk... The bottom line is that it depends on how the two viruses were written. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: <luken@Spot.CC.Lehigh.EDU> exploding a potato in the microwave! BITNET: <LUKEN@LEHIIBM1> Hobbes: Lets do some more! ========================================================================= Date: Wed, 24 Aug 88 09:49:10 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: Virus Immunizer Add In-Reply-To: Message of Tue, 23 Aug 88 18:13:04 EDT from <JMARKS@GTRI01> > ... ANY security scheme can be broken with enough effort. About the only >ABSOLUTE security (if there is such a thing) would be physical security of >the system... Laugh if you wish, but in this month's MacUser, I saw an ad for something that locks down over the floppy slot on a Mac SE to keep people from putting potentially nasty diskettes into it. I suppose if you unplug the modem and are sure the hard disk is clean, it'll stay clean, but it still gives me a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker whose boss has started seesing viruses crawling out from under the furniture getting one and refusing to take it off... :-). --- Joe M. ========================================================================= Date: Wed, 24 Aug 88 10:04:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: Question In-Reply-To: Message of Wed, 24 Aug 88 14:04:06 MEZ from <A4422DAE@AWIUNI11> >Whaat happens if i have a virus (not knowing it), and a secund virus comes >to infect the system, too ? Do I get virus wars? Does one kill the other ? >do both work on my system and kill it? Do both write themselves on new disks? I can't say anything about PC viruses, but the Mac viruses I know about would have no trouble with such a situation. The cleanup programs might, though! --- Joe M. ========================================================================= Date: Wed, 24 Aug 88 08:40:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Shawn V. Hernan" <VALENTIN@PITTVMS> Subject: copies Why am I getting *two* copies of all the virus-l postings? Shawn Hernan valentin@pittvms.bitnet ========================================================================= Date: Wed, 24 Aug 88 10:27:54 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bill MacDonald <O1BILL@AKRONVM> Subject: Dup Mail I have also been recieving the same mail 2 to 3 times. ========================================================================= Date: Wed, 24 Aug 88 10:35:26 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: More administravia (re: duplicate mail) Heavy sigh! After much experimentation, I've been able to definitively isolate the mail duplication gnome to be hiding between here and the BITNET/ARPANET gateway. It does, however, appear to have been fixed. Please let me know if anyone gets a duplicate of *this* particular message. For anyone who's interested - I tried sending mail directly from LEHIIBM1 (where VIRUS-L originates) to my own Internet account on spot.cc.lehigh.edu. I found that one message was being sent. Also, my own account was only receiving one copy of all VIRUS-L mail. So, the duplication was happening somewhere in BITNET. Next, I received several headers from people receiving duplicate mail (thank you all!) and saw that the headers were all identical. More importantly, though, all of the affected people had similar mail paths. One person told me that mail from other sites was not being duplicated. Since we're on a small "leg" off of the BITNET, chances were pretty good that the problem was somewhere there... Finally, I sent myself mail on my Internet account, but I directed it through the INTERBIT (INTERNET/BITNET) gateway at CUNY. I received a duplicate copy of my own mail. I *suspect* that it was the CUNYVM mailer that was doing it, but I could be wrong. It has been having other problems lately, I'm told. When I again tried my loopback test this morning, I got no duplicate mail, and the mail went through CUNY in a matter of seconds. I believe that the problem is fixed. Once again, I apologize to all who were inconvenienced by this. I hope that we've seen the end of it. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: <luken@Spot.CC.Lehigh.EDU> exploding a potato in the microwave! BITNET: <LUKEN@LEHIIBM1> Hobbes: Lets do some more! ========================================================================= Date: Wed, 24 Aug 88 10:38:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add > >> ... ANY security scheme can be broken with enough effort. About the only >>ABSOLUTE security (if there is such a thing) would be physical security of >>the system... >Laugh if you wish, but in this month's MacUser, I saw an ad for something >that locks down over the floppy slot on a Mac SE to keep people from putting >potentially nasty diskettes into it. I suppose if you unplug the modem and >are sure the hard disk is clean, it'll stay clean, but it still gives me >a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker >whose boss has started seesing viruses crawling out from under the furniture >getting one and refusing to take it off... :-).> > >--- Joe M. Putting locks on a floppy drive can be sensible in a "big business" type situation to make sure that unauthorized I/O access is disallowed. This security is kind of mirrored in some brands of PCs that have key locks on their frames that won't allow bootup with being "unlocked" first or physically can't be opened (without total destruction of the hardware) without the key. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 10:00:30 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT I'd always thought that such a proposition would be a bit preposterous, but in these times, anything goes. You've got a good point. ========================================================================= Date: Wed, 24 Aug 88 10:49:15 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: copies In-Reply-To: Your message of Wed, 24 Aug 88 08:40:00 EDT You too? In a few cases, I'm getting three of four. ========================================================================= Date: Wed, 24 Aug 88 10:42:37 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: virus chronology I'm working on a chronology of the virus from John Von Neumann's conception of them in 1948 to the present. I would like to hear from anyone who has any dates, references, or comments concerning this compliation. All submissions are greatly appreciated Frank San Miguel(acs1s@uhupvm1.bitnet) ========================================================================= Date: Wed, 24 Aug 88 10:52:00 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Gordon Keegan <C145GMK@UTARLG> Subject: Re: More administravia ... Ken, I just got 2 copies of your message on trying to isolate the source of the duplicate mailings. Sorry about posting to the list but my mailer won't send directly to you. Gordon Keegan c145gmk@utarlg.bitnet University of Texas, Arlington << standard unclaimer >> (I always was getting my prefixes mixed up...) ========================================================================= Date: Wed, 24 Aug 88 17:39:04 GMT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: DECLAN DELAMERE <DELAMERE@IRLEARN> Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 07:54:16 EDT from <OGATA@UMDD> Ogata et al.: One gets used to receiving messages completely out of sequence when one subscribes to trans-atlantic distribution lists from European nodes!!! :-( D ========================================================================= Date: Wed, 24 Aug 88 12:44:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Computer Virus Research Questions David Slonosky: > Is the academic based research of computer viruses a big thing > in the States? In Canada? Anywhere? > By "academic based", I mean is there a specific portion of a > university computer science department devoted to unravelling the > code of these things, ... The group of us that study viruses at Lehigh University are not a section of the computer science department. In the general sense, we have been working in the field as consultants for a number of years. Some of our clients include government bodies. When such a large security problem as the "virus" makes itself known, we have to study it in order to come up with some effective way of combatting it. Its very important that we CAN combat it. David Bader: > I assume that most of the Lehigh students, graduates, and > staff members at Lehigh University who subscribe here are > interested in the Lehigh virus because it was a new curiosity > for us to explore. I highly doubt it. When Chris Bracy, Joe Sieczkowski, Mitch Ludwig and I ran around Lehigh campus for 48 hours trying desperately to stop the virus from spreading (it spread at an incredible rate), we were, as was the Computer Center Staff, more worried about the danger to research at Lehigh. Most of the follow up interest in the virus was money or recognition. Several people came to Lehigh to find out about the Lehigh virus so they could make money from anti virus programs. Several others became involved because of the publicity that came out of the virus. Viruses are a curiosity, but I would rather find a way to stop the curiosity that play with it. As for some questions about national security. We are prohibited by law of giving out certain viruses. We are not allowed to distribute the Lehigh Virus without the "ok" of the government as I am told. I spent some time on the phone quite a while ago with different agencies and that was the general idea. Loren ========================================================================= Date: Wed, 24 Aug 88 12:49:34 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Re: Virus Immunizer Add > When you discuss a package such as the IMMUNIZER for a hundred > bucks, how can it have as much sophistication and road testing > as FluShot (for free)??? Well David, There are quite a few anti-virus programs which sell for 200-400 dollars. The reason some sell for so much is that they are worth more. I believe Ross Greenberg's FluShot is shareware, so I believe he asks you to send in some sum of money. I don't recall it being free. But even if it is, is it worth trying a package that has failed so often before? FS is an interesting package, but it isn't all that powerful in comparison with some of the packages on the market. For a corporate market, often they might want a shell of some kind to make sure nothing comes through. There are packages that have had extensive testing by the NSC I'm told, there are packages that utilize DER encryption schemes which is much better than trying a simple CRC. I would pay at least 5 times as much for a DER encryption than for a CRC scheme. You have to realize that the value of the product is worth what was put into it. Loren ========================================================================= Date: Wed, 24 Aug 88 12:54:16 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Dualing Viruses Konrad, You raised a very interesting question with two viruses on the same machine. Several people, I believe, have already answered the question, but I'd like to point out that the game Corewars is an example of what you are talking about in some ways. For anyone who hasn't played the game Corewars, or seen its write-up a few years back in Scientific American, the idea is to write assembly-like programs which look for other programs and destroy them. People can have programs dual and destroy each other. Its a very interesting and challenging game to come up with the perfect program. Loren Keim ========================================================================= Date: Wed, 24 Aug 88 13:00:31 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Accidently Releasing Viruses > As it stands, sending you viruses HAS to be a weak link > in security because I doubt that most of the places sending > you have even met you in person. If you are so worried about me leaking viruses, please keep your distance. In point of fact, as I said just two days ago, it is unwise to send viruses around. I said that I didn't appreciate the one virus I received in a brown wrapper with no letter and no disk label. This annoyed me. I didn't say "Send me all your viruses". Please look at the context of my letters before you critisize. (I'm taking complaints on my replies to you!) If you don't trust me to handle viruses, that is just fine and isn't the point. I have been called upon to handle viruses in the past, and I was called by one person today who had a problem and I will continue to deal with these viruses. I understand the security risks associated with giving out viruses, that is why people generally send viruses to Fred Cohen or Chris Bracy or me or someone who has dealt with virus problems in the past. Loren ========================================================================= Date: Wed, 24 Aug 88 11:44:51 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "James N.Bradley" <ACSH@UHUPVM1> Subject: Re: More administravia (re: duplicate mail) In-Reply-To: Your message of Wed, 24 Aug 88 10:35:26 EDT I got two copies. Jim Bradley ========================================================================= Date: Wed, 24 Aug 88 13:28:10 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: update on mail duplication woes... :-( Well, it turns out that I jumped the gun a bit when I said that all was fixed. But, then, that's quite apparent by now... It also turns out that several lists are experiencing the same problem right now (according to a LISTSERV group of list maintainers), and no one really knows what the cause is. That doesn't explain why some of my personal mail has been getting duplicated, however... So, until the problem gets fixed (it's quite out of my hands I'm afraid), lets please just try to bear with it. Discussing it on the list only adds insult to injury. Thanks again to everyone who's been sending me headers and additional info! Ken Kenneth R. van Wyk Mom: *RISE AND SHINE, CALVIN!* User Services Senior Consultant Calvin: Mbbgglkjsfdfy! Lehigh University Computing Center Mom: The early bird catches the worm! Internet: <luken@Spot.CC.Lehigh.EDU> Calvin: Great incentive! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Wed, 24 Aug 88 14:06:52 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Otto Stolz +49 7531 88 2645 <RZOTTO@DKNKURZ1> Subject: NETiquette Hello everybody, from all the lists I've subscribed, VIRUS-L delivers by far the most messages per day, and it takes considerable time to keep in pace. Please help all make browsing through all this mail a bit easier and faster. 1. Please discuss technical matters, as distributing problems, privately with the list owner -- Ken Van Wyk <LUKEN at LEHIIBM1> and perhaps Jim Eshleman <LUJCE at LEHIIBM1>, in this case -- and do NOT bother every subscriber with it. When Ken needs evidence from other sub- scribers, he will certainly tell us so (that makes one note instead of a dozen). 2. Please use the subject field sensibly. When you report/discuss details prevalent to a specific brand of hardware or software, please indicate so in the Subject field. In many cases, I could figure out this indispensible bit of information hardly, or even not at all. You could do it e.g. in this way: > Subject: Super-duper Virus Killer available (MS-DOS) So all Mac userers could discard this one, immediately. (I'd appreciate especially, if this scheme worked the other way :-) Please keep discussion on this (technical) suggestion at a minimum, and no flames, please. Thanks! Otto Stolz ========================================================================= Date: Wed, 24 Aug 88 13:42:34 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: James Ford <JFORD1@UA1VM> Subject: Hard Disks I have questions (gee..what a suprise!) If you formatted your hard disk into several partitions, and had one partition just for COMMAND.COM, IBMBIOS.COM, IBMDOS.COM, CONFIG.SYS, etc...., how effective would that be in slowing down the spread of virii? If you ran MIRROR (or something similar) for your extended DOS partition (which is logical drive "D" now), how effective would this be for restoring any data that was destroyed? If you ran MAPMEM (which shows hooked vectors), could you see what vectors a virus might have hooked for itself? Could you then free up that portion by using RELEASE on it? (assuming you ran MARK first.....) Ken, I am still receiving 2 of every file....however, the time interval has increased from seconds to around 35 minutes between each file. James Ford Suggestive maintance: JFORD1@UA1VM "Gee, I wish it would work...." ========================================================================= Date: Wed, 24 Aug 88 13:31:20 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Controlled Study of Viruses In-Reply-To: Message from "Loren K Keim -- Lehigh University" of Aug 23, 88 at 7:58 pm >> Living in the same city as you, it scares me, and the rest >> of the computer vicinity, that these viruses are being so >> uncarefully handled. > >I am very offended. We take the utmost care in isolating >...(material deleted) > >Please forgive the rather angry tone, I don't like being >accused of viral propogation... at least not after all the >work I have gone through to make certain nothing propogates. > >Loren > Do not be offended, I also wondered how I could become government approved in order to receive copies of these viruses. Who is in charge? Why? If you want to hold these viruses close to your chest, then just say so. I have no problem with that. However do not imply that there is some sort of agency that you are connected with that checks up to see who is worthy. There is no such agency. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 09:27:00 H Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Living on a Prayer <WONGKOKH@NUSDISCS> Subject: Dup Mails How about receiving the same mail 5 times !!?? And IBMPC-L digest is no small file. This is really very unhealth for the net. Marvin Wong ! Never assume for it will make wongkokh@nusdiscs ! an ASS out of U and ME csc30001@nusvm ! National University of Singapore ! Department of Information Systems and Computer Science ========================================================================= Date: Wed, 24 Aug 88 15:34:39 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT Don't know if you heard this one, but here is something that sounds like what you were saying. Softgaurd Corp. was caught distributing a virus called SUG. SUG was advertised as a copy-protection breaker of Softguard products. Instead, the program scrambled FATs in an IBM; from drive A to the highest drive. Softguard claimed that since users trying out the program were breaking a licensing agreement, the company had the right to destroy data. Softgaurd's going to court. Frank San Miguel(acs1s@uhupvm1) ========================================================================= Date: Thu, 25 Aug 88 08:23:18 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Hard Disks In-Reply-To: Your message of Wed, 24 Aug 88 13:42:34 CST > If you formatted your hard > disk into several partitions, and had one partition just for COMMAND.COM, > IBMBIOS.COM, IBMDOS.COM, CONFIG.SYS, etc...., how effective would that be > in slowing down the spread of virii? Not very effective at all, by itself. There is at least one anti-virus device which can (hardware) write protect a range of cylinders on your hard disk (i.e., a partition). It would definitely reduce the threat of a virus spreading if you could put your system files (and as many executables, overlays, etc.) on a write protected device like that. The problem is that it's not to convenient to use, and you should really understand what you're doing while you have the disk not write-protected. That is, while installing software on that partition, you're as open as ever to virus contamination. > If you ran MAPMEM (which shows hooked vectors), could you see what vectors > a virus might have hooked for itself? Could you then free up that portion by > using RELEASE on it? (assuming you ran MARK first.....) Sometimes. MAPMEM, by itself, only reports the most recently run program that is taking any one interrupt vector. That is, if two programs took INT 13H, then only the second one run would be reported. There is an accompanying (I think in the same package, by TurboPower Software) program called WATCH which causes MAPMEM to show all programs which have taken any particular interrupt. As long as a virus loads *AFTER* WATCH, then it should show any interrupts in use. The problem, however, comes in when a virus, such as a boot sector virus, is loaded before anything else. You won't be able to see any of the interrupts that they're using with tools like MAPMEM. MAPMEM, WATCH, MARK, RELEASE, and others that I can't remember the names of, are public domain programs released by TurboPower Software. They're written in Turbo Pascal and include source code. Good stuff. Ken Kenneth R. van Wyk Mom: *RISE AND SHINE, CALVIN!* User Services Senior Consultant Calvin: Mbbgglkjsfdfy! Lehigh University Computing Center Mom: The early bird catches the worm! Internet: <luken@Spot.CC.Lehigh.EDU> Calvin: Great incentive! BITNET: <LUKEN@LEHIIBM1> ========================================================================= Date: Thu, 25 Aug 88 04:00:41 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve <XRAYSROK@SBCCVM> Subject: Safeguard and SUG Frank San Miguel related an incident involving a "virus" called SUG that scrambles FAT tables and generally destroys data. This is no reflection on Frank, but having never heard this before it seems hard to believe that a company could be so irresponsible. If it's true I wonder if it's a real virus (that propagates) or just a nasty program that reformats disks. Whether it propagates or not, it's clear that the program has no way of discriminating between someone simply trying to make a backup copy of a program (or perhaps trying to install it on a hard disk) and someone trying to make pirate copies of a disk. In any case, it would appear that the company has gone out on a limb by "taking the law into its own hands" rather than pursuing justice through legal channels. Even if it is justified in trying to protect its software, and even if it argues that legal channels are ineffective, that is no excuse for criminal action (releasing a malicious and destructive program). I would think that such a company would be no more justified than a mob lynching criminal. The criminal may deserve to die, but it should be handled through proper channels and the punishment must befit the crime, as determined by law. -------------------------------------------------------------------------- Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Thu, 25 Aug 88 10:00:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Safeguard and SUG I made reference to the SUG incident in a previous message. I have some code and an article about this on a disk somewhere, and as soon as I find it, I will share it with you. Safeguard was traced to the situation because they had their company name and phone number in their code. (I don't think it was a virus, per se, that they released, but more of a trojan horse.) David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Thu, 25 Aug 88 10:05:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim <JMARKS@GTRI01> Subject: Re: Safeguard and SUG In-Reply-To: Message of Thu, 25 Aug 88 04:00:41 EDT from <XRAYSROK@SBCCVM> I have a feeling that the program distributed by Softgard (if the report is true) is a Trojan Horse rather than a virus. Since most users will have to reformat after having their FAT's scrambled, I'm not sure the program could propagate. In any case, the company would not NEED to have the program propagate to accomplish their (assumed) ends. Even if it doesn't propagate, I agree that the practice is reprehensible. While I don't condone pirating of software, users should be able to make backups, which some copy protection schemes don't provide for. I've never particularly cared for copy-protected software anyway. Jim Marks ========================================================================= Date: Thu, 25 Aug 88 09:25:01 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Safeguard and SUG In-Reply-To: Message from "Steve" of Aug 25, 88 at 4:00 am >Frank San Miguel related an incident involving a "virus" called SUG that >scrambles FAT tables and generally destroys data. This is no reflection >on Frank, but having never heard this before it seems hard to believe >that a company could be so irresponsible. If it's true I wonder if it's >a real virus (that propagates) or just a nasty program that reformats >disks. Whether it propagates or not, it's clear that the program has no >way of discriminating between someone simply trying to make a backup copy >of a program (or perhaps trying to install it on a hard disk) and someone In Wisconsin, as in other states, a person may shoot to kill if and only if s/he feels that a life is threatened. (A reasonable person test is often invoked.) It is not permitted to do so to protect only property. That is to say, the response must be appropriate to the threat and the invoker of the response must take responsibility for his or her action. If a company does put out such a package that does harm to a user's computer, and if the harm is way out of bound compared to what is being protected, the company is due to be sued, either by a felon, using the program to steal, or, more to the point, by an innocent bystander who may well be using the program in a legal way, or who may be merely damaged by some uninteded side effect. In fact, if I was aware of such a problem with a commercial package, if I felt that a vendor was prepared to risk my computer for his protection, I would avoid the legal packages that the vendor sold, believing that there were some other dirty tricks hidden in the woodwork that had not bitten anyone yet. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 10:32:24 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: SUG In-Reply-To: <QUCDN.X400GATE:LUqvSG9H*> This is one of the programs documented in the "Dirty Dozen". When is the case coming to court? David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Thu, 25 Aug 88 09:28:48 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: Safeguard and SUG In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Aug 25, 88 at 10:00 am >I made reference to the SUG incident in a previous message. I have some >code and an article about this on a disk somewhere, and as soon as I >find it, I will share it with you. Safeguard was traced to the situation >because they had their company name and phone number in their code. (I don't >think it was a virus, per se, that they released, but more of a trojan horse.) > >David > Let's watch this. Should I assume that any electronic media message with someone's name and address in it was written by them? I don't think so. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Ronald Regan e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 10:42:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: The First Virus In-Reply-To: Message of 19 Aug 88 10:39 EDT from "Loren K Keim -- Lehigh University" Loren, I am afraid that I cannot document it, and it may even have been apocryphal. (I was not a user of the net then.) But the first virus that I can recall hearing about was named the "phantom," and was said to have appeared in the arpanet in the very early seventies. After all these years I can no longer distinguish in my memeory between those characteristics that were attributed to the phantom and those that were simply discussed in its context. I can recall that I was not surprised at the time and that I was surprised at FC's assertion that his experiment was the first. Of course that is absurd on its face since "The Adolescence of P1" was published in the early 70's. It described "trapdoors," "Trojan Horses," and viruses in excruciating and withering detail. These were the "kernel of truth" on which the author hung his fantasy. Merle Miller quotes Harry Truman: "The only thing new in the world is the history you don't know." William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Wed, 24 Aug 88 17:14:48 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: James Mathiesen <JIM@BROWNVM> Subject: a new virus: I got this off the MacIntosh distribution list and know nothing else about it -- but I am curious if anybody here has heard of it or has any additional info. ----- -----forwarded msg----- From: C20254 @ UK.AC.PLYMOUTH.PRIME-B Date: 11-JUL-1988 20:52 Subj: Macintosh Infection at Seale-Hayne College >From : Joe Evison Micro Support Computing Service Plymouth Polytechnic Phone : (0752) 221312 Exn. 5441 Email : C20254@UK.AC.PLYM.B I have been asked to forward the following article on to you, in the hope that someone may be able to offer advice and/or assistance. The report concerns a recent outbreak of a Macintosh virus at Seale-Hayne College. We have been in touch with the local Apple Centre in Bristol, who in turn have contacted Apple UK's technical people, and it would appear that this particular virus is unknown to them. If anyone does have any information regarding this virus, could they mail either myself or Adrian Vranch at Seale-Hayne - his address is given in the report. Thank you, Joe Evison ----------------------------------------------------------------------------- Macintosh Infection at Seale-Hayne College Tsunami Virus Dr Adrian T Vranch Head of Computer Unit Seale-Hayne College, Newton Abbot, Devon TQ12 6NQ. England Tel: 0626 52323 ext 271 Email : P30414@UK.AC.PLYM.A 8th July 1988 Introduction The following notes describe the recent events leading up to the discovery of what appears to be a "virus" of some form which is present in the Macintosh Plus computers in use at Seale-Hayne College. This virus was discovered completely by accident on Wednesday 29th June 1988 and appears to have been present,but undetected, for at least six months prior to that date on a Macintosh network running under MacServe. This network has been accessed by over 150 staff and student users in that time. These notes are intended to help all Macintosh users by providing information about this virus in terms of: how users can determine if it is present what effects it appears to have how to get rid of it. Discovery of the Virus - The Story So Far The first clue to the presence of the virus came as a complete accident while using Apple File Exchange on a Mac Plus with external 20 Mbyte hard disk. Along with the Desktop file ( which is normally invisible ), System File and other files shown in the scroll window was a new, invisible file called Bostb be Evill. At the time I thought that this was rather strange but did nothing whatsoever on that day. Due to the unfriendly ring to the name of this file, my suspicions were aroused and the next day I ran the Ferret v1.0 program to check for Scores Virus. Vaccine had been installed and running for two weeks on this system. Ferret identified two files that were infected on the hard disk system: the main System file in the System Folder and a second System file ( used to create MacServe floppies ) in another folder called MacServe Folder. No changes to the Scrapbook or Note Pad icons had taken place, as discussed in the Scores Virus article by Howard Upchurch. However, following the advice in Howard's notes I checked for additional INIT resources in the infected System files using ResEdit. Sure enough, both contained an extra INIT with i.d.of 6 "LoadAT" ID=6 Howard suggests in his notes that INIT resources with i.d. of 6, 10 or 17 in a System file show that the file is infected. No extra Desktop file was found in the System Folder as described by Howard Upchurch in his notes relating to Scores Virus. Using the Repair option in Ferret, at the stage where infection was identified in the message box, removed the INIT resource with i.d. of 6. Subsequent runs of Ferret gave a clean bill of health for the whole disk, including these two System files. I later established that deleting the INIT i.d.of 6 resources using ResEdit would also remove "infection"as detected by Ferret. At this stage I deleted the Bostb be Evill file using ResEdit. I have never seen this file on any Macintosh since. My attention turned next to the College network of five Macintosh Plus computers sharing a 20 Mbyte hard disk and two Imagewriters. Since the MacServe System file on the separate Macintosh Plus had been infected I thought it likely that the System files on the network hard disk would be similarly infected. This proved to be true, again with the same INIT resource with i.d. of 6, again in the main System file and in the System file in the MacServe volume containing a System Folder for creating MacServe floppies for users. The infection dates given by Ferret were particularly interesting: main System file - Wed 29th June 1988 at 21:15 MacServe folder System file - Fri Dec 18th 1987 09:30. Assuming that these dates are correct, this shows that the virus had been present on this shared hard disk for at least six months, but had only transferred to the main System file itself the day before. As far as verifying the time is concerned, it is possible that someone was using the network at 21:15 hours ,as the room was open to users then. It is certain that the network was running at that time. At this stage, no files similar to the Bostb be Evill file were found on the MacServe network hard disk. The infection date of December 18th for the System file used to create MacServe floppies suggested that all such floppies created after that date would also be infected. On checking, I found that all MacServe floppies have an infected System file with the added "LoadAT" INIT resource, i.d.of 6. All users of these floppies have been notified of the problem. It would appear that the virus was first introduced to the MacServe network and that it was transferred in the MacServe folder copied to the separate Macintosh Plus with hard disk. From the MacServe folder on this separate Mac, the infection then spread to the main System file in this computer. The date when the Bostb be Evill file appeared is not known but I believe that this file appeared after the MacServe System file with the INIT resource "LoadAT" i.d.6 had been copied to the separate Macintosh and this belief is based on what happened next with the MacServe network system. On returning to the MacServe network and switching on to run Ferret again , no virus was found on the disk. However, ResEdit showed the existence of a new invisible file with a four character name of box symbols. The system was switched off then restarted the following day. Again, Ferret detected no virus but a further two invisible files had been added to the desktop and were shown using ResEdit. One had the same four character name of boxes and the other was called Tsunami. Apparently, this is the name of a Japanese tidal wave which starts in a small way and grows rapidly to engulf everything in its path - again not a very friendly name for an invisible file on disk ! I assumed that these three files were similar to the original Bostb be Evill file found on the other Macintosh but rather than delete them, I decided to use ResEdit to investigate. The results were very interesting: all three files had no apparent type or creator all three were locked, invisible,Bozo and File Protect selected all three had the same resource fork size of 286 bytes all three had the same data fork size of 512 bytes . Furthermore, all three showed a blank window when opened from the first ResEdit window. In other words, although they contained data and resources, ResEdit could not show them up. Effects of the Infection At first, it appeared that there were no specific problems caused by the infection. Examination of application CODE resources as described in the Scores Virus notes did not show any evidence of the added codes with i.d. numbers two greater than the next value, as described by Howard Upchurch. However, it has now become clear that this infection does appear to cause problems and several examples which may be caused by the virus are worth a mention: Macintosh Network Problems The MacServe system Imagewriter file became corrupted such that the Chooser could not see it as a printer option. Examination using ResEdit showed that the file had been significantly reduced in size ( Resource fork 3336 bytes ) compared with an uncorrupted file ( Resource fork 40246 bytes ). MacPaint document icons on MacServe volumes sometimes appeared as generic (i.e. blank) document icons, although this was only seen on a few occasions. Problems with the Separate Macintosh Plus System After "deleting" the Bostb be Evill file on the separate Macintosh Plus, many problems began to happen on that system: The System Bomb, ID 2 message appeared very frequently when opening a variety of applications. Previously, this has happened only rarely. During a session using MacWrite v5.0, part of the ruler would suddenly be corrupted, for example, the black background of the icon for "centre justified text" selected would suddenly be displaced a few millimetres to the left of the rest of the icon. When printing from MacWrite v5.0, the whole system would crash completely and the screen would be reduced to a white background with thin vertical lines. The MacWrite application itself became corrupted, such that attempting to open a MacWrite document caused the Finder to display a message that the Application was damaged. Examination with ResEdit caused an "Error opening a resource file" message [39] to appear. Running Ferret on this obviously sick Mac produced a clean bill of health, indicating that Ferret is perhaps limiting its examination to INIT resources with suspicious i.d. numbers. The System Folder on the separate Macintosh Plus was completely replaced two days ago and no problems were experienced in using that computer until yesterday. While using MacTerminal to receive E-MAIL and to send a copy of this document to Plymouth Polytechnic, I found that using the "Save As" option my filename was corrupted to four box symbol characters. I could not change these characters. The document appeared to be saved intact with this unwanted filename. This MacTerminal document is certainly corrupted but is it infected as well ? Removing the Infection Do not rely on Ferret or Vaccine to protect your files. They may not be able to detect all infections or corruptions. Do not assume that only System files can become infected. Do not assume that Applications files cannot be infected. They can certainly be corrupted. Do not assume that Document files cannot be infected. They can certainly be corrupted. To remove infection with confidence, replace ALL files on an infected disk with copies from uninfected backup floppies, with the write-protect tab open. In other words, start again completely and do not assume any file is safe from infection. The Current Situation at Seale-Hayne College The MacServe network hard disk and Macintosh server have now been isolated from the network itself. The additional invisible files, including Tsunami, have not been deleted and, as yet, have not been joined by any more colleagues. The MacServe volume on the network hard disk has been supplied with a System file which still contained the "LoadAT" INIT resource with i.d. of 6. This has been done as an experiment to see if this INIT resource transfers itself to the main System file on that hard disk. This system will be monitored closely for the next week or so. A virus-free Macintosh Plus with 20 Mbyte hard disk is now being installed in the Computer Unit, from which new systems will be issued. All Macintosh hard disks in College will be erased completely and fresh files re-installed from uninfected floppies. A new College policy is being introduced to minimise the risk of introducing or spreading any type of virus infection to College computers by screening all disks before they are allowed to be used. This will apply to IBM PCs and compatibles as well as Macintoshes and will be strictly enforced with no exceptions in terms of staff or student users. Conclusions I hope that the account of how I have approached my investigation into this infection is of help to other Macintosh users. Clearly, there may be many types of virus infecting our software and the details of how to find out if they are present or what they do may also vary. Nevertheless, by using a combination of ResEdit and Ferret and other products, it is possible to uncover infection. By replacing all files on an infected disk and by a sensible approach to keeping backups, it should be possible to get rid of this problem so that we can all get back to a normal working situation. *** These notes are intended for the widest circulation possible to Macintosh users. Please make as many copies as you wish and circulate them freely, on the one condition that the contents of this document may only be copied in full, with no additions or deletions. *** If you wish, please feel free to contact me, using my postal address or telephone number or E-MAIL address given at the beginning of this document. I am very keen to contact anyone who can help me overcome the problems caused by this sort of infection. ========================================================================= Date: Thu, 25 Aug 88 11:24:10 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: SUG When I said that the SUG affair was traced back to softguard through some data in the code, I was not implying that this was the sole reason. I have an article explaining this, but since I am in the middle of packing up and moving rooms for college, I won't be able to find the reference until next monday or so. But when I do, I will post it for your information. David Bader ========================================================================= Date: Thu, 25 Aug 88 12:11:00 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Dr. Howard J. Ramagli" <HRAMAGLI@UTMEM1> Subject: RE: a new virus: I N T E R O F F I C E M E M O R A N D U M Date: 25-Aug-1988 12:07pm CST From: Dr. Howard J. Ramagli HRAMAGLI Dept: Info. Systems & Services Tel No: (901) 528-6392 TO: Remote GMAIL User ( _GMAIL%VIRUS-L@LEHIIBM1 ) Subject: RE: a new virus: A curious note on this new Mac Virus. The file spelling (Bostb be Evill) reminds me of the old Microsoft file protection scheme for either Multiplan or Microsoft File. Hope this is of some help. Howard ************************************************************************ * * * Dr. Howard J. Ramagli * * BITNET Info Representative * * Director, Technology Support Services * * Biomedical Information Transfer (BIT) Center * * University of Tennessee, Memphis, 877 Madison, Memphis, TN 38163 * * (901) 528-5024 * * HRAMAGLI@UTMEM1.BITNET U0282 on AppleLink * * * ************************************************************************ ========================================================================= Date: Thu, 25 Aug 88 19:04:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Re: Softguard I sorted through a thousand disks today and finally found the document on Softguard that I was referring to (under some cryptic filename!). Anyway, here is the memo, and enjoy! ------------------------------------------------------------------------------ Mark Garvin -- Xymetric Productions -- New York City 3-7-87 I guess I have stirred some interest with my recent messages to BBS's concerning Trojan horse programs. I have decided to write the following file in the interest of warning others and hopefully finding clues to the origin of the programs. I have been operating a Priam 60 Meg hard disk on my AT for the past two years with good results. About four months ago, I encountered a Trojan horse program called HI-Q.COM which corrupted the FAT table on the disk. I lost access to the entire D: drive and the files and boot sectors on the C: drive were so badly damaged that I had to reformat the drive. Since there was nothing to be lost by trying the program again, I decided to confirm that HI-Q.COM was indeed the culprit. I ran a couple of the popular Trojan finders on the file first: Nothing. Thinking perhaps I was mistaken, I ran HI-Q under an INT13-trapper. No INT 13's were found and HI-Q ran normally. Upon rebooting the system, I found the same boot- sector errors, and CHKDSK again reported numerous cross-links, etc. I reformatted the drive and ran media checks to make sure the Priam was sound. After checking several other programs (I did NOT run the Trojan- testers or INT13-trapper again in case those were perhaps Trojan), I ran HI-Q.COM for the third time. Same results. This is enough for me: I'm convinced. Up until this point, I had heard of Trojan horses, but honestly doubted that there were actually competant computer programmers around who were wierd enough to write such a thing. I should also note that there is a program called HI-Q.EXE which has been tested by some boards, and is supposedly NOT a Trojan. I'm not going to try it on my hard disk system. The HI-Q.COM program may not have even been an intentional Trojan -- I'm willing to keep an open mind on the subject. Maybe it was incompetent programming, or perhaps someone ran SPACEMAKER or a similar program on the .EXE file to convert it to a .COM file, and inadvertantly created a Trojan. OK -- that's one thing.. The next Trojan I ran was DEFINITELY intentional. I had reformatted my Priam after the previous incident, and I haven't allowed the mysterious HI-Q program back on the system. However, I HAVE run numerous file-managers, etc. from local BBS's -- maybe I'm just a trusting individual, but I wasn't ready to give up on Public Domain or shareware software just yet. Recently, the Priam starting giving me trouble again: crosslinked and lost files, and no boot. I called Priam, hoping to get instructions for perhaps salvaging files on the D: drive, since the partition was destroyed. Priam's tech guided me through a HEX/ ASCII dump of the boot record via a trap-door in Priam's FDISK program. Needless to say, we were BOTH incredulous at the result. Dis-believers should look closely at the HEX/ASCII dump below. This was NOT retyped or altered in any way. After booting from floppy, I redirected printer output to a disk file. What you are looking at below is exactly what appeared on my screen after the crash. ____________________________________________________________________________ 0 = Master Boot Record, 25 = Extended Volume Record 1 - 24 = Volume Boot Record Enter number of record to display (0 - 25) : [ 0] D H 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0/ 0 EB 7D 53 4F 46 54 4C 6F 4B 2B 20 33 2E 30 0D 0A ..SOFTLoK+ 3.0.. 16/ 10 11 28 43 29 20 53 4F 46 54 47 55 41 52 44 0D 0A .(C) SOFTGUARD.. 32/ 20 53 59 53 54 45 4D 53 2C 20 49 4E 43 2E 20 0D 0A SYSTEMS, INC. .. 48/ 30 32 38 34 30 20 53 74 20 54 68 6F 6D 61 73 0D 0A 2840 St Thomas.. 64/ 40 45 78 70 77 79 2C 20 73 74 65 20 32 30 31 0D 0A Expwy, ste 201.. 80/ 50 53 61 6E 74 61 20 43 6C 61 72 61 2C 20 20 0D 0A Santa Clara, .. 96/ 60 43 41 20 39 35 30 35 31 20 20 20 20 20 20 0D 0A CA 95051 .. 112/ 70 34 30 38 2D 39 37 30 2D 39 34 32 30 10 07 00 FA 408-970-9420.... 128/ 80 8C C8 8E D0 BC 00 7C FB 8B F4 8E C0 8E D8 FC BF ......|......... 144/ 90 00 06 B9 00 01 F3 A5 EA D4 06 00 00 45 72 72 6F ............Erro 160/ A0 72 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 r loading operat 176/ B0 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 ing system.Missi 192/ C0 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 ng operating sys 208/ D0 74 65 6D 00 BE BE 07 B9 04 00 AC 3C 80 74 15 83 tem........<.t.. 224/ E0 C6 0F E2 F6 CD 18 AC 0A C0 74 FE BB 07 00 B4 0E .........t...... 240/ F0 CD 10 EB F2 4E 8B 14 8B 4C 02 BB 00 7C B8 11 02 ....N...L...|... Press <Esc> to ABORT, any other key to continue . 0 = Master Boot Record, 25 = Extended Volume Record 1 - 24 = Volume Boot Record _____________________________________________________________________________ In the interest of justice, I would like to make the following obser- vations: 1) The MAIN phone no. for SoftGuard systems is: 408-970-9240, NOT 9420. The no. listed above is not in use. The message it gives IS the normal message for that area, even though it sounds like it is com- puter generated. The phone co. says it is actually registered to Siliconix, a Silicon Valley chip-manufacturer, who probably has no interest in Public Domain software or BBS's. 2) I called SoftGuard, and they gave me a Mr. Phelps-type message, disavow- ing any knowledge of any Trojan programs or of SOFTLok, etc. which they said is not an official product. However, they have not returned my calls requesting additional information, and a request to speak to some- one knowledgable about their software protection techniques has not been answered. This may mean either that the message was cooked up by some- one with a vendetta against SoftGuard (I don't know why!), or that Soft- Guard wants to be able to identify the source of the Trojan program by the information phoned in by irate people whose disks have just crashed. In my opinion, the juxtaposition of the phone no. digits could be caused by errors on the part of whoever wrote the Trojan program, whether it was within SoftGuard, or not. After restoring the hard disk, I scanned every file on it, and "SoftGuard" did not appear anywhere. The clever- ness in bit-shifting the ASCII digits, or otherwise disguising them, may also have resulted in the wrong phone no. 3) I have not, and will not, install SoftGuard programs on my disks. Also, I obviously do not have any reason to run any of the unprotect programs for SoftGuard, of which some are supposedly Trojans themselves (see below). I have no idea of which file of the 2,000+ files on my system was the origin of the message. As explained above, I have scanned them for ASCII text and I've come up with nothing so far. There are numerous warnings in circulation concerning SoftGuard Systems, manufacturers of the SuperLock copy-protection scheme. They SUPPOSEDLY upload Trojan programs to BBS's either to try to get their own form of justice against those who try to crack their software, or because they are just bitter about the numerous SoftGuard/SuperLock unprotectors which are circulating on the BBS's. Most of these Trojans have the name SUG.. (Soft-Un-Guard) or something similar. I did not originally believe that SoftGuard would be stupid enough to do such a thing. After all, a lesson should have been learned by the example of Prolok (another copy-protect manufacturer), who claimed that their new software would destroy the hard disk of anyone who tried to mis-use it. Most users, legitimate and other- wise, dropped them instantly, even though Prolok realized their grave error and retracted their previous advertising. After all, who wants to have their hard disk destroyed by accidently inserting the wrong key disk? The SUG programs mentioned are reported to say something like: "Courtesy of SoftGuard Systems .. So sue us!" -- after trashing the hard disk. My feelings about possibly casting doubt on the integrity of SoftGuard ? They did NOT convince me that they were blameless, and if they cared, they would have returned my phone calls. However, it MAY just be coincidence that a lot of the Trojan programs mention SoftGuard. Recommendations: Whether SoftGuard is at fault or not, they did not give me an adequate explanation of the rumors circulating about them, and they did not return my calls. I would recommend that individuals and companies stay away from SoftGuard/SuperLock, or any other copy-protect program which writes hidden, strange information onto their hard disks. Users of such copy-protected software should write or call the manufacturers and re- quest that the copy protection be discontinued. Explain to them that pirates will always crack copy-protection, and that only the legitimate users suffer from its use. If you work for a company that uses copy- protected software, why not get a print-out of this file and show it to the person in charge of purchasing software? If you DO have a hard disk crash, try to recover the boot-record on the disk before just giving up and reformatting. You may find something similar to the above. The manufacturer or vendor of your hard disk may be able to steer you through the proper procedure for doing this. Read this month's (March 1987) issue of 'Computer Language' for more information on Trojan horse programs. The article recommends contacting Eric Newhouse at THE CREST BBS regarding trojan horse programs. If you DO run into one, keep a copy of the file, and have a knowledgable BBS- user send it, and an explanation to Eric's BBS at 213-471-2518. DO NOT SEND THE FILE WITH ITS ORIGINAL NAME. The file name should be changed to something NOT ending in .EXE or .COM (how about .TRJ), and it should be sent to the attention of the SYSOP. This is usually done by waiting for the prompt to enter the file description, and starting the descrip- tion with '/'. Afterwards, also leave a comment to SYSOP which states the nature, and description of the file. In other words, don't inadver- tantly upload a Trojan program which could victimize others. Watch out for some of the so-called Trojan testers. The majority of these are legitimate, but a few of them are actually Trojans themselves. Also, before jumping the gun and assuming a program is Trojan, check other possible sources for disk errors, etc. Sometimes hard disk media just develops errors, and there ARE some programs circulating as 'jokes' which put a message up which says they are reformatting your drives, or even claim to be draining excess water out of your disk drives. Most of the nasty Trojan programs don't cause their damage immediately. They wait for the drive to fill up a bit, or they wait for a random time interval. In the latter case described above, I suspected a file manager that I had just run. It turns out that others have used the program with no ill effects. It seems to me that the future of PD software, as well as BBS systems is being threatened by this type of thing. A concerted effort on the part of SYSOPS to correlate the names and origins of people who upload Trojan software may help to track them down. Most BBS software keeps track of the names of people uploading software. I doubt that Trojan writers are stupid enough to list their real names, but it's time that some ingenuity was used in putting a stop to this. I am a serious software developer, and I have taken some time off to write this message in the interest of helping other PD software users. Unfortunately, I don't have the time to coordinate any effort in analysis of Trojan programs and I cannot be contacted by phone (unlisted), but if you DO run into something similar, or if you have questions about any of the info presented here, leave me a personal message on any of the larger BBS's in New York City, and I will try to reply on the same board. PLEASE DO circulate this file. It is important information for anyone running a BBS, or using Public Domain or SoftGuard/SuperLock software. ----------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Fri, 26 Aug 88 02:35:46 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve <XRAYSROK@SBCCVM> Subject: SUG David: I stand corrected. I did hear of SUG previously --- from you on this list. Len Levine has a good point that just because a company's name is written all over a product, it doesn't mean that they are in anyway connected with it (Len, you misspellled Reagan :-). It is entirely possible that someone simply doesn't like SoftGuard and is trying to discredit them, unless SoftGuard is claiming responsibility (but even that isn't absolute proof that they did it --- maybe they only wished they'd done it). Does anybody know if SoftGuard is really claiming responsibility for the SUG thing? I could sort of understand if they elected not to say anything and just let people think that the boogie man will get them if they try to misuse SoftGuard products (whether or not they are actually responsible and even if I think it's bad public relations not to issue a disclaimer), but to take credit seems insane. I would think that by claiming responsiblity they would greatly simplify prosecution of an otherwise nearly impossible case. -------------------------------------------------------------------------- Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Fri, 26 Aug 88 10:39:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Safeguard and SUG In-Reply-To: Message of Thu, 25 Aug 88 09:28:48 CDT from <len@EVAX.MILW.WISC.EDU> You make a good point. A particular problem with hacked code is the case where some malevolent person takes a useful piece of code (which, of course, will probably have the author's name prominently displayed) and hacks it into a trojan horse, time bomb, virus, or whatever. They don't remove the person's name and so he/she gets the blame. In general, I would not expect to see the REAL hacker's name in such a program. It's bad enough to plant such a destructive piece of code among users. What is probably even WORSE is trying to impugn (sp?) the reputation of a legitimate software author. I'm not sure that is what happened in this case, though. I only know what I've seen here. Jim Marks ========================================================================= Date: Fri, 26 Aug 88 15:59:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Random BBS virus memos Here is a short collection of virus memos that I found on some BBS's recently: Msg # 14 Dated 07-19-88 18:27:21 From: SHARON KLEGARTH To: ALL Re: VIRUS Last read at 09:02:35 on 07/28/88 It has happened....my system has a virus!! Am not sure where it was picked up from...but many strange things happened....in info sent to a log file parts of my diskcopy and diskcomp appeared....and my DOS disk disappeared...the disk with the file I sent my Procomm log to appeared in it's place....a file Trojan.arc...(bombsqad) is VERY good.... it showed me that something kept wanting to write to disk A, head 0, track 0, sector 1, number 1, data address 0070:15F7.....OFTEN...even when reading my directory...or trying to load a file...not every time, mind you...sometimes I had to do the function 10 or 20 times before it tried to write to disk A....sneaky little virus. I have an old DOS and a new d/l copy of bombsqad on it...booting it up when the system boots up... so now I have to go through all my disks to see what will have to be trashed...(formatted TWICE I have been told will get rid of the virus..) AND I am now using the write protect tabs I should have been using all along....sigh.... Sharon ------------------------------------------------------------------------- ------------------------------------------------------------------------- According to Keith Graham (author of TXT2COM, etc.) and Ross Greenberg who is the legitimate author of FLUSHOTx.ARC, there is a file in circulation under the name FLUSHOT4.ARC which contains a sophisticated TROJAN. Some unknown -- but very knowledgeable -- assembly language hacker has taken Keith's TXT2COM and modified it so that if the trojan file created with it (the one that Keith and Ross examined was named FLU4TXT.COM) is run, it will TRASH THE HARD DISK on that system when the program exits. Legitimate versions of FLUSHOT contain only ASCII documentation and not "executable text files". When the trojan file is scanned [or LISTed in hex mode], the string (without quotes) "XT2COM" will be found. Apparently, the missing "T" has been replaced by code which branches to the trojan portion of the file. Clearly it is possible for this file to be renamed and/or included within other archives (not to give the malicious children out there ideas, but...) and so please take precautions not only with any executable text files found in FLUSHOTx.ARC, but similar files found in other archives as well. Bulletin #1 on Mr. Greenberg's BBS on this subject is in FLU4TXT.ARC. Please disseminate this information as widely as possible. co-sysop, PC-Rockland BBS (914) 353-2176 [FREEBOARD] (914) 353-2157 [paid registration] -------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rouge program jams memories of computer network. Tampa fl (ap) A self propagating computer program is spreading like an electronic virus threatening to damage systems ranging from that at AT+T's regional headquarters to a computer club's floppy disks. "It kind of creeps up on you,"said Jeff White, president of the Tampa Amiga users group, Whoses membership was infiltrated by the small rogue program. A simuilar virus affected the vast network of computers at International Business Machines Corp.'s regional headquarters in Tampa last month. Virus is computer jargon for a self propagating set of oders devised by a saboteur and automatically copied from one computer disk to another, gradually taking up more and more memory space. The virus, programmed to wipe out thousands of files and years of research on Friday the 13th this may was inserted into Hebrew university computers in Jerusalem, said Isreal Adai, A senior programmer at the university's computer center. "It is the most devastating thing we've ever come across,"Aidia said last week. The Tampa Tribune reported yesterday that experts say they do not yet know what, if any .damage the virus can cause to previously stored programs or stored information. But it quoted one expert as saying a version of the virus was similar to the one found in Isreal, designed to to begin destroying files on Friday the 13th. White said the program was copied on to more than20 of his floppy disks before he dicovered it! By then the program had spread to the disks of many of the club members via their regular disk of the month distribution. In Isreal university computer experts devised two programs called "immune" and "unvirus" which tell users wheather there disks have been infected and applies an antedote to thoses that have. At IBM the virus took the form of an electronic chain letter that grew so large it slowed the company's computerized message system.A holiday message promised to draw a Christmas tree on the screen if someone would type the word "Christmas" on the computer.Instead the program kept repeating itself andspreading to other computers in the network. The IBM problem was stopped before it spread to other customers computers according to spokesman Frank Gobes. We haven't determined where it came from, said Frank. IBM's information network in Tampa servers as a hub for a large electronic system that is linked to machines from San Diego to Boston and from Miami to Seattle. It is also linked to computers outside the United States, Gobes said. The company installed an electronic filter to help prevent further breaches of its network. The filter- yet another computer program- will not allow the transfer of programs within IBM's system, Gobe said. This article taken from: The Courier News Bridgewater N.J. Jan 22 1988 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Not to be out done, The Hyper drive has been invaded by a virus! Seems like a program called FLUSHOT2.ARC was uploaded to the system which almost had a very bad out come. Luckily this problem was caught in time. If you downloaded this file, destroy it. It will do no harm till you try to format a disk. It will then start to do its thing. I DO NOT hold the uploader responsible for this file as he probably did not know what was going on. This is how these files work! If it sounds to good to be true, it just might be! To mantain the integrity of the system this file has been pulled off the list of downloadable files. Again, If anyone has this file, rid them selves of it before it gets to you. SYSOP -------------------------------------------------------------------------------- ------------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Fri, 26 Aug 88 18:22:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: PKTROJAN Notice Here is another interesting tidbit that I found: TROJAN WARNING To all callers who might have downloaded PKPATCH.arc here or from any other BBS .... Some users have found problems with hard disk crashes after/during use of the patch. Read the following, and check your file. I would (conservatively) not use either patch, and heed Phil's warning on the use of PKARC on large binary files ........ ----------------------------------------------------------------------------- The following is a message from Phil Katz author of PKX35A35 regarding a users questioning of a patch for same that has been circulating around the boards... ------------------------------------------------------------------------------ DO NOT RUN THAT PATCH THAT YOU UPLOADED!!! It is *definetly* a trojan! It is a copy of an actual article posted by me on USENET, with one line different. That line is the patch for PKXARC.COM. This has obviously intentionally been done as a very sick joke. The debug patch that you uploaded will write to direct sectors as you figured, and from what I can tell, will wipe out the FAT or Master Boot Record for drive C:. BAD NEWS! The PKXARC patch that I posted should be as follows: debug pkxarc.com e 1d0b 8b 3e c8 f4 80 3e d0 f5 0c 75 06 e8 a9 06 eb 1a 90 aa w q What was in the file you uploaded was: debug pkxarc.com e 1d0b b8 02 00 b9 ff 00 ba 00 00 cd 26 90 e9 fa ff 1a 90 aa w q As you can see, what you uploaded was quite different than what I originally posted. Please inform the sysop of ANY system where you see that file to check it, delete it if necessary and inform users... ------------------------------------------------------------------------------ The following is a message from Phil Katz author of PKX35A35 regarding a TROJAN PKXARC that has been circulating around the boards... ------------------------------------------------------------------------------ From: PHIL KATZ To: ALL Subj: TROJAN PKXARC c: ARC+ZOO+ #1002 12-27-87 23:16 (Read 0 times) f: PHIL KATZ (REBEL LEADER) t: ALL s: TROJAN ALERT cc: SYSOP 12/27/87 There have recently been several trojan/hacked/pirated versions of PKARC/PKXARC showing up. The most vicious of the bunch is called NEWARKR.EXE. This is a (PKSFX) self- extracting file, but contains no DOCS. The programs PKXARC, PKARC, and PKSFX have been renamed to XARKR, ARKR, and RKSFX respectively. The PKWARE copyright has been removed from these programs, along with PKWARE's address and all references to ShareWare. The Copyright notice has been replaced with the phrase "Public Domain Software". These programs have been modified in other means too, and their reliability is unknown. Equally malicious, there has been a trojan patch for PKXARC that has been cirulated. It is a copy of a valid message from me posted on USENET, except the patch given in the message has been changed to write directly to the FAT and wipe out disk C. There have been also various files circulated claiming to be PKARC/PKXARC versions 3.6 and 5.3. These are all hacked or pirated. The perpetrators of these hacks are guilty of Copyright infringement, theft, libel with malice, or other applicable crimes. PKWARE Inc. will seek to prosecute these individuals to the fullest extent of the law. If you see any file claiming to be a new version of PKARC/PKXARC or a patch to those programs, and are unsure of their origin, please check the following BBS's for the authentic files: PKWARE BBS 414-352-7176 EXEC-PC 414-964-5160 RBBS OF CHICAGO 312-352-1035 SOUND OF MUSIC 516-536-8723 If you do encounter any hacked or pirated files, please inform the SYSOP of the system with these files to delete them immediately. Please also inform PKWARE inc. of these files, their origin, and all other information that you have available. We can be reached at either any of the above BBS numbers, or 414-352-3670 voice. Only with your help can these very sick individuals be prevented from causing harm to unsuspecting victims of these hacked and pirated programs. >Phil Katz> --------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Sat, 27 Aug 88 01:54:20 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: New Mac Virus (INIT 6, 'LoadAT') may not be a virus It's been a long while since I used MacServe, but I am positive that the 'LoadAT' INIT 6 described in the recent article about a supposed Mac Virus is actually part of MacServe. I can't explain the invisible files, but I'm sure that all sorts of odd things will happen if you try to run MacServe without one of its inits. Creating invisible and oddly named files is a possibility. I also seem to remember something about a file named something- or-other evill, but I can't remember what it was. It was not, I think, a virus. If the person from that english college is not on this list, would the person who cross-posted the original article please forward this response to him? Thanks. /a ========================================================================= Date: Sat, 27 Aug 88 10:41:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: RE: Controlled Study of Viruses In-Reply-To: Message of 24 Aug 88 02:42 EDT from "ZDABADE%VAX1.CC.LEHIGH.EDU at CUNYVM.CUNY.EDU" >can you see the situation that would arise if someone else out there also >got a copy of the viruses "to study" but instead had other plans for them! >As it stands, sending you viruses HAS to be a weak link in security because >I doubt that most of the places sending to you have even met you in person. >David > From: David A. Bader, Studentis Maximus Hear! Hear! Without regard to the motive, there is more than enough traffic in viruses without forwarding them knowingly. If you see one, sterilize it; if you cannot sterilize it, kill it. Under no circumstances should you give one to anyone else. Sterilized viruses can still carry all of the information required by serious academics. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 27 Aug 88 10:52:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Controlled Study of Viruses In-Reply-To: Message of 23 Aug 88 19:58 EDT from "Loren K Keim -- Lehigh University" Loren Keim writes: >I debated whether to send this directly to David or to >the entire list, and I feel that the list should know >that we NEVER compromise on security. With all due respect for his motives and intentions, if twenty years in security has taught me nothing else, it has taught me that everyone compromises security. It is the nature of things. Security is by definition a compromise. It cannot be otherwise. I am much more confident in the security efforts of people that understand this, than with those of people who tell me that they "NEVER" compromise. EVERYBODY compromises (even I). William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 27 Aug 88 13:26:26 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: Re: The First Virus In-Reply-To: <QUCDN.X400GATE:LUsWFkII*> >...Of course that is absurd on its face since "The Adolescence of P1" was >published in the early 70's. It described "trapdoors," "Trojan Horses," >and viruses in excruciating and withering detail. These were the >"kernel of truth" on which the author hung his fantasy. > >Merle Miller quotes Harry Truman: "The only thing new in the world is >the history you don't know." What exactly is "The Adolescence of P1"? Fact or fiction? David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Sat, 27 Aug 88 12:22:30 PDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Robert Slade <USERCE57@UBCMTSG> Subject: PERFECT virus? Recently there has been specualtion of a "targetted" virus that may be aimed at Word Pefect 5.0. My brothers office has recently upgraded to 5.0 and seems to have coincidentally been hit with a virus. An extra, and as yet unidentified hidden file seems to have appeared on the hard disk and many floppies. (This is in addition to the two MS-DOS system files and one partitioning the hard disk.) Word perfect files are being steadily corrupted, as well as some others. Any info relating to this is, of course, appreciated. I will post further details as they become available. ========================================================================= Date: Sat, 27 Aug 88 20:03:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Dimitri Vulis <DLV@CUNYVMS1> Subject: The Adolescence of P1 The Adolescence of P1 is a novel by Thomas J. Ryan, highly recommended. From technical point of view, the virus part is quite realistic (undoubtfully influenced by the viri extant on Arpanet even when the book was writtem); the AI part is pure SciFi. If you've never read it, you definitely should. -DV ========================================================================= Date: Sun, 28 Aug 88 19:04:29 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: David.Slonosky@QUEENSU.CA Subject: Virus Law I have a hypothetical legal question. Suppose User A has the perfect program on a disk, a easily used and fast DOS shell/notepad/modem program/ data base/word processor/spreadsheet/coffee maker... Unknowst to user A, a virus has become embedded in the boot track of his/her copy of the disk. User B, desirous of obtaining user A's program, copies files from this disk and begins using it. 2 weeks later, B's hard drive is trashed, along with valuable information. Questions: 1) Is A legally to blame? 2) How does A prove his/her innocence in the matter if it is known that A is a capable assembly language programmer? 3) Does this scenario change if A is a large software manufacturer? If B is a large corporation who receives infected files from another corporation and has an entire set of confidential data corrupted? 4) Are BBS SYSOPS responsible for any malicous software which is downloaded from their boards? I just thought of these in the shower last night. I don't know how many CPU lawyers there are out there, but I hope that these are relevant questions. David Slonosky/QueensU/CA,"",CA | Know thyself? | <SLONOSKY@QUCDN> | If I knew myself, I'd run away. | ========================================================================= Date: Sun, 28 Aug 88 21:35:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Who's SAFE? Well, I've had quite a few questions (alright, I've had a truckload of questions) on who can receive viruses, who is alright to have copies, etc etc etc. I can't tell you precisely who may or may not receive anything, unfortunately. Generally its played by ear. There are several groups and institutions dedicated to computer security which are recognized by the computing society to be reasonably safe. As William Murray pointed out sometime this weekend, in the study of security threats, we all end up compromising to some extent in order to observe something. Fred Cohen is a member of the Foundation for Computer Integrity Research, Joseph Beckman is an employee of the National Computer Security Center, the FBI has people investigating computer virus propogation, Maria Pozzo has worked on creation of B2 security systems and has studied Viruses under grants from IBM if memory serves, I am independent and have been called upon several times to work on security problems or virus containment. All of these people are relatively "safe". FoundationWare of Ohio claims that the only rightful holders of the Lehigh Virus include the federal government, Lehigh, and them (that is on memory, I believe I am correct in that statement). Yet I have run across several companies with copies of the program as well as several newsmen with copies (NEVER give viruses to newsmen!!!) I spoke at length to someone a while back who identified himself as working for the NSC. He told me that I could continue research on specific viruses if I had worked on them for some institution. He told me, however, that NO ONE was to get a copy of the Lehigh Virus (interesting puzzle). Joe Beckman: > As an employee of the National Computer Security Center, I must > point out that we do *NOT* attempt to track perpetrators for > prosecution or for *ANY* other reason! > We are not a law enforcement Agency, and are prohibited by law > to take any such action. Who is authorized to have viruses, I asked the man from the NSC. He said that it was very hard to say who may have what at what time. He said that the matter was a national security threat and that viruses should not be handled by any more people than those that are treating the problem, and even then it should be reported. He failed to tell me where I could report it. So who is authorized to handle viruses? Am I? Is William Murray? Is anyone? Does it matter what qualifications we have, or how many security problems we have solved in the past, or any work we may have done that was related to the problem? I really don't know. If I am asked to help with a viral problem or infection at some university, corportation, government office and so on, I will continue to appear, and I will continue to work on such problems and will continue to design security systems for companies and research facilities. If the FBI comes to me and wants complete information, I will give them everything I can; if someone designing a virus-fighting package comes to me, I probably will not. Its a question I can't easily answer. I've spoken at length with people before about particular viruses. I've gone over code with other people of some viruses and I've played with some viruses with others who have spent a great deal of time studying viruses and security threats. Loren ========================================================================= Date: Sun, 28 Aug 88 21:40:04 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus Conference The Conference seems to be going well. I have a lot of letters to reply to on the subject, and haven't had time, so hold on and I'll get to them. Please try to submit your reservation to me as soon as possible for the conference so I can make sure we'll have enough people coming to cover expenses. Remember to send it to: Virus Conference c/o Loren Keim P.O. Box 2423 Lehigh Valley, Pa. 18001 Include your name, company/college name, position, and any information you might feel is pertinant. Thanks, Loren Keim ========================================================================= Date: Sun, 28 Aug 88 21:49:57 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Computer Virus and Security Papers In accordance with so many requests for a list of virus articles, I'll write some down which were fairly good: Fred Cohen, "Computer Viruses", Proceedings of the 7th DOD/NBS Computer Security Conference, Sep 1984, p 240-263. K.J. Biba, "Integrity Considerations for Secure Computer Systems, MITRE Technical Report, MTR-3153, June 1975. M.M Pozzo "Managing Exposure to Potentially Malicious Programs", Proceedings of the 9th National Computer Security Conference, Sep 1986. M.M Pozzo "An Approach to Containing Computer Viruses", Computers and Security 6 (1987), p 321-331. Some people may also look for: A.D. Dewdney "Computer Recreations", Scientific American, May 1984, pp 14-22. (Corewars Game) D.E. Denning, "Cryptography and Data Security". Addison Wessley Pub, Reading Ma. 1982. Fred Cohen "Computer Viruses - Theories and Experiments", Computers and Security 6 (1987) pp. 22-35. D.E Bell and L.J. LaPadula "Secure Computer System: Unified Exposition and Multics Interpretation" MITRE Technical Report, MTR-2997, July 1975. Also, one that I haven't had any luck tracking down yet --- Shoch, J.F. and Hupp, J.A. "The Worm Programs" Communications of the ACM 25, 3 (March 1982) 172-180. If anyone sees this last one, can they please forward me a copy of it? Loren Keim ========================================================================= Date: Sun, 28 Aug 88 23:23:59 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Conference Notes Sorry to keep cluttering up your mailboxes! To answer some questions, what I said about the conference a few hours ago probably didn't come out quite right. What I meant was that I have received approx 15 registrations for the conference. In addition, I have received over 60 e-mailed letters telling me that people are coming, but I haven't yet received any notes from them/checks from them. We have a total of almost 400 people who have either requested more information, or have stated that they have collegues, friends and associates who might like to attend. I am waiting till we receive a total of about 50 notes to the P.O. box before I send out information about Hotels and so on. Although I'm quite certain we'll have a large number of professionals show up for the conference, I'd like to make certain we are covered. So please don't wait to send in a note to me telling me that you are coming (I know, I'm slow at doing things as well), send something off to me as soon as possible. Looks like we have two panel discussions with a total of 7 people speaking set up so far. We're still trying to get hold of a few more people. We have a great bunch of people coming so far from a wide range of the computer communittee. Please join us. Loren Keim (For those who missed it twice before: PO Box 2423 Lehigh Valley Pa. 18001 )========================================================================= Date: Mon, 29 Aug 88 09:48:00 URZ Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: BG0@DHDURZ2 Subject: Losing more than data... Hi folks, all of us are afraid in some sense of what viruses *can* do. Sometimes it seems as if viruses make a computer system vulnurable as never before. Although this may not be correct I think most of us have thought of the possible harm on people if a viruses hit a computer system. So many people on this list talked about the tragic of losing data and/or programs. But what is the loss of (even valuable) data compared with the death of a human being caused by an erratic computer system in a hospital? To see this is not a fiction, have a look at the following (words CAPSed by me): > COMPUTER VIRUSES > > Some time ago an INTENSIVE CARE UNIT in Glasgow found that its normally > well ordered computer network was becoming erratic: data were being > corrupted and files were being lost. Recently a general practioner who > used an IBM compatible computer for his repeat prescriptions discovered > that important files were being corrupted. In both cases a computer virus > was at work. Eventually the viruses were identified and exterminated, but > not quickly and not without the loss of data. [... definition of a computer > virus is and how it works...] > JOHN ASBURY, senior lecturer in anaesthetics, > University of Glasgow" [ British Medical Journal, No. 6643, Vol. 297, Jul.,23 1988 ] Can anybody on this list confirm this? Anyway, I think we will have some new topics for further discussions: - What mental diseases drive a programmer to design a virus that will hit a hospital computer system? - If a person is being killed by computer (re-)action caused by a virus: Is sHe (the programmer) a murderer? - How should computers be used in environments like a hospital while a secure computer system (resistant against viruses) is not available? Waiting for appropriate answers, Bernd. +-----------------------+--------------------------------------------------+ ! Bernd Fix ! EARN/BITNET: BG0@DHDURZ2 or BG0@DHDURZ1 ! ! Bergheimer Str. 105 ! UUCP: ...!{unido:pyramid}!tmpmbx!doitcr!bernd ! ! D-6900 Heidelberg ! VNET (VoiceNET): +49 6221 164196 ! +-----------------------+--------------------------------------------------+ ! ....1010101001110101101010010010101001001000100101011011101100101.... ! ! This doesn't look like a cry for help, more like a warning! ! ! <from ALIEN part 1> ! +--------------------------------------------------------------------------+ ========================================================================= Date: Mon, 29 Aug 88 06:48:30 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: virus blame, p.o. boxes, and NSC Hopefully if person A unwittingly supplies a virus to person B, he won't be assumed guilty merely because he is a capable assembly programmer. Then burden of proof SHOULD be on the plaintiff. Knowledge of program- ming skills would be purely circumstantial (I think). Loren and everyone: I'm perhaps a bit paranoid about money, but I make it a point NEVER to send money to an unincorporated individual via a P.O. Box for something of which I have no proof or receipt. So if registering for your confer- ence must involve sending a check to your P.O. Box, I'll have to forget it. If you can provide a more reasonable method, I'd love to come. Who is the National Computer Security Center? Is this what you mean by NSC? - Jeff Ogata ========================================================================= Date: Mon, 29 Aug 88 14:53:09 +0300 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Y. Radai" <RADAI1@HBUNOS> Subject: CRC vs. encryption schemes Loren Keim writes: > There are >packages that have had extensive testing by the NSC I'm >told, there are packages that utilize DER encryption schemes >which is much better than trying a simple CRC. > >I would pay at least 5 times as much for a DER encryption >than for a CRC scheme. You have to realize that the value >of the product is worth what was put into it. I challenge Loren to defend the claim that a CRC scheme is inferior to an encryption scheme. But first, let's get one thing clear. Opinions on the merits of CRC differ widely, and I think this is due almost entirely to the fact that different people mean different things when they speak of CRC. For purposes of checking whether a file has been corrupted while sent over a communications line, CRC with a *standard* generating polynomial, usually the CCITT polynomial, is used. However, when a checksum (or signature) algorithm, CRC or otherwise, is used for detecting viral infections, the first requirement, in order to minimize the likelihood of forging the checksum, is that (for any given file) it should yield a *different* checksum when used by different users. In the case of the CRC algorithm, this ordinarily means that instead of using a *fixed* generator for all users, that polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. Given satisfaction of this requirement, I challenge Loren to produce explicit reasons why a program based on a CRC algorithm is any worse, from a practical point of view, than one based on "DER" [DES?]. And similarly for anyone else who thinks the same of RSA or any other cryptographic algorithm. And if anyone can come up with such a reason, let him explain why such an algorithm is *suffi- ciently* better than CRC to justify the *much greater execution time* required. It should be pointed out that *no* checksum algorithm, no matter how sophisti- cated, will provide dependable detection of viral infection unless certain loop- holes are blocked by the program utilizing that algorithm. I know of three such loopholes and I know of only one program which satisfies the above requirement and which blocks all three loopholes. (I suspect that even Fred Cohen's RSA- based program [1] doesn't do this, and that even with his latest techniques for reducing execution time, a CRC-based program will still run considerably fas- ter.) Y. Radai Hebrew Univ. of Jerusalem [1] F. Cohen, "A Cryptographic Checksum for Integrity Protection", Computers & Security 6 (1987) 505-10. (I've been told that the source code for his program appeared in the April 1988 issue of C&S, but I have not yet seen it.) ========================================================================= Date: Mon, 29 Aug 88 08:13:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Who's SAFE? In-Reply-To: Message of 28 Aug 88 21:35 EDT from "Loren K Keim -- Lehigh University" I am not sure that we have the correct question here. The question is not so much "who is safe" as it is "how is safe." If viruses were hard to come by, we should not bother to have this discussion. It is a little silly to say that anyone has a proprietary right to the Lehigh virus. If people were trying to maintain their proprietary rights in viruses, there would not be a problem. The question is, how can qualified academics exchange sufficient information about the nature of specific viruses without contributing to the problem? I hope that we can agree that distributing live viruses by this network is not appropriate. Three ideas occur to me. 1) Know who you are talking to. Before sending a virus to anyone, be certain that you know who they are. They can advertise their interest (even in the network), and credentials. You can check those credentials with others. You can verify the address. 2) Carefully label the virus. Part of the problem with viruses results from the fact that they do not advertise their purpose and intent in their names and documentation. To label them is, at least partially, to disarm them. 3) Sterilize them or disarm them before sending them. The academic is interested in how the virus is designed to behave. It is useful to preserve that information. However, it is not necessary to preserve the behavior to do that. If you are able, disarm the virus before sending. If you are not, best leave the forwarding to someone who is. Simply destroy the virus. If yours is the last copy, you are a hero. If not, someone qualified to disarm it will likely see it. Others can surely add to this short list. All that having been said, I think that a demonstration is required of those who assert that this traffic is necessary. We have seen excellent expositions in this forum of all of the necessary information to deal with particular viruses. I would assert that those expositions told me everything that I needed to know, even everything that I needed to write a specific antidote, without preserving the behavior of the virus. While I acknowledge that not just anybody could have done the necessary analysis or written those expositions, and it is necessary to deliver the virus to those that can, I would hope that we can limit the traffic to the absolute minimum necessary to accomplish that. If the exposition has been done, further distribution of that virus can only be justified by morbid curiosity. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 29 Aug 88 08:15:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virus Conference In-Reply-To: Message of 28 Aug 88 21:40 EDT from "Loren K Keim -- Lehigh University" While I have watched a lot of the traffic about the conference, I must have missed the actual announcement. Please send me a copy. In the meantime, please count me in. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Mon, 29 Aug 88 10:54:21 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: OJA@NCCIBM1 Re: Distribution of viruses/accountability/liability Mr. Murray madr excellent points concerning the compromise of security by even the people who work as security managers. The more people who have access to the "live" viruses, the more likely that there will be a leak. Most of the security mangagers are probably themselves trustworthy (I hope. :-)) but then what each manager's computers, buildings, support staff, etc.? The potential for unintentional leaks persist; the only sure preventive is not having the viruses there period. The more people undertaking to study and develop means of countering viruses (which is definitely needed), the risks increase. Then, even with otherwise respectable people, there is always a possibilty that someone will have a "price" that will suffice to encourage them to "leak" the viruses. The price could be monetary or ideological. I have a mental scenario that illustrates this situation. Let's say that a manager of Irish-American background were approached by several "interests". Each one sought to use viruses as a weapon again their "target" computers. The manager refuses and most likely passes on information about such "offers" to security agencies, FBI, NSC, whatever. Then someone from the IRA came up and suggests the need for hitting the computers used by MI6 or the Royal Ulster Constabulary. The manager's principle MAY come under more severe test now. (This scenario is not to pick on the Irish or any particular group. Most people have a vulnerable area. Hopefully, integrety will win out. For myself, I can admit that I probably would shed little tears if a computer system used by the PLO or by a neo-Nazi group was hit by a virus. But I also realize the gigantic dangers of "firing the first salvo" inthe world.) Yes, this scenario resembles something out of a "spy thriller" but it serves as an apt warning about human weaknesses. Of course there are other factors that can encourage leaks. Greed and revenge are all time classics. The danger exists. The more like hazard still is a leak by employess, cleaning personell (yes this can happen if the systems are not well secured, burglers carting off the PC's, etc. It is even worsened when the viruses are given to newsmen. (Although my secondary job is along those lines, I agree about the dangers expressed by Loren.) There are all too many curiousity seekers out there as well; people who want a virus as a "throphy". ========================================================================= Date: Mon, 29 Aug 88 11:14:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" <LEICHTER@YALEVMS> Subject: RE: CRC vs. encryption schemes Y. Radai asks why CRC checking, given the requirement that: [The] polynomial must be chosen *personally* by each user or *random- ly* by the program when the database of checksums is first created for that user. is not as good as a DES- or RSA-based checksum. The answer is: It depends on the model you are concerned with. But before we even get to that, you CANNOT choose any old "random" polynomial - you have to choose one from an appropriate class. This is not hard to do; the theory is worked out in a paper of Rabin's, "Fingerprinting With Random Polynomials" or some such. (Sorry, I don't have the reference; it probably appeared in a STOC or FOCS 3-4 years ago.) Note that to get reasonable security, you need a moderately large polynomial, so your software implementation may not be as fast as you thought it would be. As for the model: A CRC scheme assumes that your opponent cannot see the result of applying your CRC. CRC is not (known to be) "crypto-secure": It may very well be that, given a program P and its CRC C, with an unknown polynomial, I can find another program P' with the same CRC. Note that this is a MUCH weaker condition than saying that I can determine the polynomial. In fact, the real situation may be that I cannot be CERTAIN that P' will work, but that probabilistically it's a good bet. Given a properly-constructed cryptographic checksum, such as the DES checksum, even if I can CHOSE a large sample of programs P1,...,Pn and get you to hand me their checksums, I still can't find any other program P' with the same checksum as any of the Pi's - unless I know the key you are using. Is this important? It depends on the situation. Using CRC, you can NEVER publish lists of checksums. With DES, you can do so safely. Only people to whom you have given your key will be able to do anything useful - or nasty - with the published information. It's possible construct even stronger checksums: Those which cannot be spoofed EVEN BY SOMEONE KNOWING THE KEY. This is easy to do using a technique that, unfortunately, makes the checksum as large as the information being protected: An RSA signature will do quite nicely. Whether there is a way to do this with a small checksum, I don't know. -- Jerry ========================================================================= Date: Mon, 29 Aug 88 11:17:04 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: OJA@NCCIBM1 Re: Limiting dist of viruses as protection for computer professional While there is legitimacy for a very limited distribution of viruses for study by a limited number of professional, limiting the distribu- tion of viruses, beside protecting the world in general, also protects computer professionals who might otherwise keep a virus or two around. A story from my college days when I worked on summer as a porter (translate that as a janitor) in a hospital. One day, the housekeeping staff had accidentally locked themselves out of the laundry room and the washing machine was going amok- overflowing with sudsy water. The water and suds were coming out from under the door. I offer to try to open the door using a couple of methods that I had heard of. One of the houskeepers warned me not to do it. Rather, she suggested, let the flooding continue until the hospital got a locksmith. The reason is that if I suceeded opening the door, it would be viewed that i "knew locks". So, then, if anything was stolen, if any drugs disappeared, or any equipment vanished, I would have been the prime suspect. And this was not a matter of "pikuach nefesh", of life or death. So I followed the advice. Her advice stuck with me over the years. It also applies to computer data security issues. If I kept viruses and something happend in my area of New Jersey, I could be viewed as a suspect. It has been hazardous enough for being known as an authorof articles about viruses. (One BBS sysop claimed that my text was a "virus" because his BBS crashed soon after I uploaded an ASCII file of one of my articles. Guilt by association.) So all the better not to have the "live samples" unless one is REALLY part of the solution. Addenum to previous posting of accountability.... Another problem in distributing viruses is the problem of verifying who the "security professionals" making requests are. E-mail can be deceptive. Same for letters, phone calls, etc. Face to face contact helps, but all too often there is great amount of uncertainty. This uncertainty can be reduced by further follow-up checks, but the risk in never eliminated totally. In reading about security risks elsewhere, I have come across a number of examples of "spoofs" where someone was induced to work for the KGB or other agencies by the agency presenting itself as some other group- CIA, MI5, Mossad, etc. Again, these are extreme cases. But they illustrate how often people will only do shallow checks. Incidentally, a corpate/ government letterhead is not absolute proofof "genuiness" either. One can always form a "dummy" corporation and the print shops can always prepare a letterhead of any design. There is even the danger of an employee of legitimate cancerns with their own "adgenda". It is a very complicate world out there. Again, Mr. Murray thank you. PS, Mr. Murray, I'll be getting in contact with you about the question concerning FIDONET that you asked before the Fred Cohen lecture in July. ========================================================================= Date: Mon, 29 Aug 88 11:53:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bob Babcock <PEPRBV@CFAAMP> Subject: Re: PERFECT virus? In-Reply-To: USERCE57@UBCMTSG message of Sat, 27 Aug 88 12:22:30 PDT >An extra, and as yet >unidentified hidden file seems to have appeared on the hard disk and many >floppies. (This is in addition to the two MS-DOS system files and one >partitioning the hard disk.) If a disk has a volume label, CHKDSK will count that as a hidden file. Could this be the "unidentified" hidden file? ========================================================================= Date: Mon, 29 Aug 88 12:00:08 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken Pendell <D4B@CORNELLA> Subject: Re: Who's SAFE? In-Reply-To: Message of Sun, 28 Aug 88 21:35:21 EDT from <LKK0@LEHIGH> > >If the FBI comes to me and wants complete information, I >will give them everything I can; if someone designing a >virus-fighting package comes to me, I probably will not. > >Loren > You have a much greater trust in our government than I. Ken Pendell ========================================================================= Date: Mon, 29 Aug 88 13:02:54 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: SUG In-Reply-To: Your message of Thu, 25 Aug 88 10:32:24 EDT I'm not sure as to when the company's going to court, but I'll keep an eye out for any reports. Any more volunteers for watching for Softguard? ========================================================================= Date: Mon, 29 Aug 88 13:23:45 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: GARY SAMEK <C133GES@UTARLVM1> Subject: Re: The Adolescence of P1 In-Reply-To: Message of Sat, 27 Aug 88 20:03:00 EST from <DLV@CUNYVMS1> For everyone that is now looking for this book, it is now out of print. Or at least it was out of print at the beginning of this summer when I last gave a serious attempt at locating a copy of it. If anyone has any luck finding a copy of this book, I would be interested in hearing about it. I was told at a local book store that my best chance would be to look in used/traded book sections. I have looked in the local libraries for the book without any luck there either. Good Hunting. Gary Samek Bitnet C133GES@UTARLVM1 Telnet C133GES@UTARLG Arpanet C133GES@UTARLG.ARLINGTON.TEXAS.EDU ========================================================================= Date: Mon, 29 Aug 88 13:38:29 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: Softguard In-Reply-To: Your message of Thu, 25 Aug 88 19:04:00 EST Thanks for the information that you sent and to the effort you put into it. It's been very interesting reading. Frank ========================================================================= Date: Mon, 29 Aug 88 22:33:57 +0300 Reply-To: gany@taurus Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: what is DER ? Can someone please explain, to the fool among us (like me), WHAT IS and HOW DOES "DER" works (a short bullet proof explanation). That will make the flaming argument about CRC vs. DER much more clear to people who are not certified computer hackers (yes, ordinary people exist too !). If it was already done and i missed it, please accept my appologies. thanks Yair Gany Gany@Math.Tau.Ac.Il Tel-Aviv University ========================================================================= Date: Mon, 29 Aug 88 15:29:08 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Joe McMahon <XRJDM@SCFVM> Subject: Re: The First Virus In-Reply-To: Message of Sat, 27 Aug 88 13:26:26 EDT from <David.Slonosky@QUEENSU.CA> >What exactly is "The Adolescence of P1"? Fact or fiction? Anyone who says that a truly intelligent program could run on a 512K MFT system is *definitely* writing fiction. Half the time you couldn't even run a STUPID program! :-) --- Joe M. ========================================================================= Date: Mon, 29 Aug 88 17:45:07 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Kenneth P. Russell" <KPRUSS@RICE> Subject: Re: More administravia ... In-Reply-To: Message of Wed, 24 Aug 88 10:52:00 CDT from <C145GMK@UTARLG> I am getting two copies of virus mail. ========================================================================= Date: Mon, 29 Aug 88 22:14:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Glen Matthews <CCGM000@MCGILLM> Subject: Outline of Worm Pgms Paper in CACM While not wanting to help bury Loren with yet another copy of the paper "The 'Worm' Programs: Early Experiences with a Distributed Computation" (in CACM March 1982, pp.172-180), as I am sure that more than 1 copy is now winging its way there, I thought that others on this list might be interested to peruse the outline of this paper, together with an annotation or two. (Whew!) (Incidentally, John Brunner's "The Shockwave Rider" is referenced therein as well as "The Adolescense of P1" and one I hadn't heard of, "The Medusa Conspiracy" by Ethan I. Shedley.) 1 Introduction - distinguishes so-called "distributed computing" from worms - "distributed *computations*" 2 Building a Worm - worm: a computation which lives on 1 or more machines; the program on each machine is termed a "segment" 2.1 General Issues in - authors emphasize that since the worm *takes Construcing A Worm over* the host machine, any disk residing on that machine should not be written on; doing so is labelled as a "profoundly antisocial" act 2.2 Starting a Worm - on 1-st machine, worm is started as would be any other program 2.3 Locating Other - worm expands to its full complement of machines Idle Machines using *only* idle machines (say, overnight) 2.4 Booting an Idle - the architecture of the network (ethernet) Machine is such that an idle machine (running a memory diagnostic test pgm) can be requested to boot from the network, but control cannot be seized 2.5 Intra-Worm Communication: The Need for Multi-Destination Addressing - problem of co-ordinating which machines are currently still part of the worm; time-out and labelling a non-communicative segment as not part of the worm any more 2.6 Releasing Machines - memory diagnostic is re-started; noted that if segment or boot fails, the machine is effectiv- ly cut out of the network (stopped) 3 A Key Problem: - puzzling situation recounted: a small worm left Controlling a Worm running overnight resulted in a dozen machines "dead" the next morning; a corrupted copy of the worm was failing in the boot sequence; some machines were physically locked up and running the worm and thus could not be aborted; luckily, an emergency escape had been included within the worm, so that it could be shut down; "...unfortunately, the embarassing results were left for all to see: 100 dead machines scatter- ed around the building..." 4 Applications Using the Worms 4.1 The Existential Worm - this program simply stayed alive 4.2 The Billboard Worm - distributed a "cartoon of the day" 4.3 The Alarm Clock Worm - used to signal a user at a later time; not dependant upon a single machine; would dial up user's telephone!!! 4.4 Multimachine Animation - a single controlling node using other Using a Worm machines to multi-process the graphics problem at hand, generating animation effects 4.5 A Diagnostic Worm for - testing pair-wise communication error the Ethernet rates for networks of 120 machines, using a single controlling node 5 Some History: Multi-Machine - routing algorithm (IMPs); McRoss; Programs on the ARPANET the "Creeper"; "much of this work, however, was done in the early '70s" 6 Conclusions Although "worms" sound as nefarious as viruses I would suggest that they are something completely different. For one thing, the computing environment required is different than that in which viruses are being found today. For another, far from having an "infection" it sounds as though worms will need to utilise network calls to install themselves. This implies a far greater measure of control over the resources that a worm would be able to command. Anyway, this hopefully will encourage those interested to truck on down to the library for this article. Glen Matthews ========================================================================= Date: Tue, 30 Aug 88 00:45:18 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Replies to Virus-L Comments Bernd, I have not heard of the specific incident you cited about a virus attacking a hospital, but have heard of at least 6 more incidents. None of the incidents were very dangerous to patients, but were apparently written to attack a specific hospital system. I think it takes a very sick human being to attack such systems. Jeff, Surprizingly, you are the very first person to ask about the integrity of the individual vs the company. I agree with you, there is very little I can do here to prove that I am being honest and won't run off with your money. I will provide receipts to people along with hotel names and so on (I had already planned on this, and even picked up a receipt book!), and you should write in the Memo section of your check (most checks have these) that it is a registration fee for a virus conference, include a letter and keep a xeroxed copy of it. If you are really worried, then mail yourself a xeroxed copy of the letter the same day you send me a check and don't open the letter. Incidently, an individual is much easier to sue than a company. A company can just dissolve or declare bankrupcy. You can put a lien on my property (THAT IS NOT A SUGGESTION!). And you will get a cancelled check, which is evidence itself. NSC: When I speak of the NSC (which individuals have talked to me and identified themselves as being from this organization), I ASSUME it is the National Security Council (Is that last word Council?) under Pres. Reagan. I am in NO WAY certain this is who I talked to. When I refer to the National Computer Security Center, I am referring to an entirely different group. DES: I MEANT DES, not DER... I make that mistake often. William H. Murray: Thank you, you pointed out a few things that I missed. I neglected to say anything about sterilizing viruses before sending them anywhere. Its common practice, so it was something I overlooked. Bob and others: Wasn't Miami U telling us several months back that they had been hit by a virus which attacked Word Perfect? (Who has a problem with Word Perfect? Its a good and inexpensive word processor!) Thank you, Loren K Keim ========================================================================= Date: Tue, 30 Aug 88 03:38:07 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: conference queries Loren: The check to a P.O. box is definitely out of the question, unless you could provide a name of a reputable sponsor of the conference I could contact. Who is sponsoring the conference? I am also curious as to whether there will be profits, and if so, what will become of them. Obviously, you can't give a definite answer as to whether the fifty dollars apiece will be too much or too little at this stage. Have you had any experience organizing conferences? I would like to know what your status is at Lehigh, and to what extent Lehigh University is involved. Also, how many people have sent checks? Perhaps with this information, I would consider attending. - Jeff Ogata ========================================================================= Date: Tue, 30 Aug 88 03:53:40 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Amanda B Rosen <abr1@CUNIXC.CC.COLUMBIA.EDU> Subject: Re: The Adolescence of P1 In-Reply-To: Your message of Mon, 29 Aug 88 13:23:45 CDT I read that book when it first came out. While the virus stuff is reasonably accurate (the AI part is junk), my impression of the book was that it was badly written and not immensely gripping. Still, it has been ten years or so, so I could be wrong... /a ========================================================================= Date: Tue, 30 Aug 88 07:56:03 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: conference queries In-Reply-To: Your message of Tue, 30 Aug 88 03:38:07 EDT > Who is sponsoring the conference? Loren is. > I would like to know what your status is at Lehigh, and to what extent > Lehigh University is involved. Loren is an undergraduate student here at Lehigh, in good academic standing I believe. Lehigh University, to the best of my knowledge, is not involved in the conference in any way. At least the Computing Center certainly is not. Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: <luken@Spot.CC.Lehigh.EDU> Calvin: Then how am I supposed to learn BITNET: <LUKEN@LEHIIBM1> how to juggle?! ========================================================================= Date: Tue, 30 Aug 88 11:29:42 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: OJA@NCCIBM1 Re: Interest in THE ADOLESCENCE OF P1 /Book Search A local used bookstore in my area has a number of slightly used copies of the book. If anyone is interested in obtaining a copy, please contact me by postal mail or telephone to work out arrangements. In general, I believe that the best bet for finding this book will be the used bookstores. Look under Science Fiction. J.D. Abolins 301 N. Harrison Str., #197 (mail only) Princeton, NJ 08540 (609) 292-7023 If anyone has trouble finding John Brunner's SHOCKWAVE RIDER, I believe I have seen in the used bookstores as well. Thank you. ========================================================================= Date: Tue, 30 Aug 88 11:39:49 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Virus Arguements Hit Home Yesterday, I was calling up this area's local BBS's, when to my surprise, I found a feud going on. One BBS sysop claims that a second sysop is responsible for a virus that he somehow got. Since FluShot gave the receiving sysop an error message (which probably is common, but he doesn't realize that) he feels that the virus can be traced to the host sysop's BBS and therefore is seeking damages.. The host sysop claims that if he is being accused and wrongly slandered that he would consult legal authorities at his business. I am not sure if all the details here are 100% accurate, but I can upload a copy of the messages in the feud here if some people are interested. David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 30 Aug 88 17:20:49 +0300 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Y. Radai" <RADAI1@HBUNOS> Subject: CRC vs. encryption schemes A few comments on Jerry Leichter's reply to my question/challenge: >It may very well be that, given a program P and its CRC C, with an unknown >polynomial, I can find another program P' with the same CRC. Note that this >is a MUCH weaker condition than saying that I can determine the polynomial. Agreed. I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. So for sake of argument, I shall assume you have in mind some- thing like the method described by Woody Weaver in his May 17 contribution to VIRUS-L. If so, where do you get the set of polynomials gi(x) from? It would clearly be impractical to take it to be all possible polynomials (even assuming you know the size of the generator). So do you simply choose (say) 100 poly- nomials at random, apply Woody's procedure, and hope for the best? That would take a lot of computation time, which would certainly be noticed. And even if it isn't, if the probability of succeeding isn't sufficiently large, the CRC checker will sometimes notice your attempted forge, tipping off the community to the existence of a virus. Can you supply any assurance that this probability will be large? And if you are thinking of some quite different method of forging the CRC, could you please explain it? > you CANNOT choose any old "random" polynomial - you have to >choose one from an appropriate class. For reasons mentioned above, I think your words "CANNOT" and "have to" are a bit too strong. Anyway, I presume you're referring to a restriction on the set of polynomials (from which the generator is randomly chosen) to the subset of *irreducible* polynomials. The reason I didn't mention this in yesterday's message was that I considered this to be a relatively minor matter compared to the distinction between a fixed generator and a personal/random generator. (Recall that the requirement which you quoted was described by me as the *first* requirement, not the *only* requirement.) Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? This program is based essen- tially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. Perhaps I could rest my case here, but there are a a couple of additional details: > Note that to get reasonable security, you need >a moderately large polynomial, so your software implementation may not be as >fast as you thought it would be. The above program uses a 31-bit generator and is at least as fast as any other checksum program I have tried (except for FluShot+, which probably uses some- thing more primitive than CRC; in any case it doesn't satisfy my "first" re- quirement). > Using CRC, you can NEVER >publish lists of checksums. Since use of a CRC algorithm for the detection of viral infection (which is the only context in which I mentioned CRC) doesn't imply the need for such a list, this remark doesn't seem to me to be relevant to my question. But I'm still curious to know exactly how one would exploit a list of CRC checksums to do something nasty. In short, Jerry, I don't think you've succeeded in supplying any good justifi- cation for the much greater execution time required for DES- and RSA-based algorithms as compared to a Rabin-type CRC algorithm, and unless I've missed some important point, not even compared to an ordinary CRC algorithm satisfying my "first" condition. Y. Radai Hebrew Univ. of Jerusalem ========================================================================= Date: Tue, 30 Aug 88 08:10:42 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> In-Reply-To: Your message of Mon, 29 Aug 88 10:54:21 EDT Your point is certainly a valid one. Virtually any programmer with ill will toward an organization or institution could formulate a virus in a few hours (or a poorly constructed virus in less time) and crash that system should it have weak defenses. It's distrubing to think that such vengeful persons can easily bring about "viral warfare." That brings me to another point, if a war should take place (sensibilities forbiding), how prominently would viruses be used as a means of attacking an enemy? This sounds like the plot of a cheesy film, but anything's possible. Frank ========================================================================= Date: Tue, 30 Aug 88 10:48:33 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: A few questions I've got two questions concerning Mac viruses. First, if programs like Ferret and Vaccine are not as dependable as one could hope, how does one search for a viral infection using ResEdit? Also, could someone dig up a copy of Howard Upchurch's article on SCORES and forward it to me? Thanks. Frank ========================================================================= Date: Tue, 30 Aug 88 13:15:41 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Who's Sponsoring What Thank you for answering Ken, but please do not answer questions you know little about before consulting me. The conference is sponsored at this time by two organizations within Lehigh, and I am trying to get a department to sponsor the conference. I will be able to tell you later this week who you may contact within Lehigh for information. Agreeing with Ken, I am enrolled in the undergraduate program at Lehigh. I dislike the term undergraduate because I have worked in the field for over 6 years and had taken courses at schools previous to attending Lehigh. Undergraduates, unfortunately, often are thought of as people who don't know anything and haven't spent time working in the real world, so I continue to shy away from that label. If you question my integrety, you can check up on me. I was a member of the Bethlehem Beautification Committee, a part of a group to the Bethlehem Area School District Superintendant Committee, and have served on many non-profit organizations. I was one of the people who started the "Save our Statue" fund about 6 years ago that obtained national status. I am easy to contact through any of the Century 21 Keim Realtor offices in the Lehigh Valley area, Keim Enterprises. While all of this means practically nothing, I like to think I have a decent reputation for being fair and so on. I am using a P.O. Box because it is easier for me to separate mail that way. If you so desire, I live at 1950 Ravenwood Drive in Bethlehem (Zip 18018). Again, its very hard for me to assure you that I am "on the level". I think tommorrow I may be in a better position to discuss it, however. If you have any specific questions, you can direct them to me here at LKK0@LEHIGH. Thank you, Loren K Keim ========================================================================= Date: Tue, 30 Aug 88 13:13:36 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Steven C. Woronick" <XRAYSROK@SBCCVM> Subject: Re: Outline of Worm Pgms Paper in CACM For the benefit of the non-expert, could I suggest that we spell out certain abbreviations which one would anticipate will elicit questions when they first appear in a message? For example if I mention DES, my first reference to it might appear as "Data Encryption Standard (DES)." (By the way, there is a discussion of DES in the book "Numerical Recipes" --- sorry I don't have it in front of me so I can't tell you the authors). Maybe this is too burdensome to ask? Maybe one us should put together a glossary? Although I have already inferred more or less the meaning of DER and CRC, can somebody please tell me what they stand for? Finally what is the name of the journal CACM spelled out? Steve ========================================================================= Date: Tue, 30 Aug 88 17:24:37 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Loren K Keim -- Lehigh University <LKK0@LEHIGH> Subject: Virus Conference Concerns Update To answer some of the concerns people recently had here about the virus conference: As I had said before, we were being sponsored by two Lehigh University organizations but not by the college itself. We are working on trying to get the university to sponsor the conference at this time. We should know in the next few days the answer. The major concern the University seems to have is that Lehigh must maintain the highest possible standard of professionalism at a conference, as any college or university should. If we are sponsored by Lehigh, then those of you who might have had questions about integrety will be able to send a check directly to Lehigh. Other than that, we seem to have a great list of speakers, panelists and others coming representing a wide variety of computer security experts and amatuers. I will keep you informed. Thank you, Loren Keim ========================================================================= Date: Tue, 30 Aug 88 14:49:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Jim Shaffer, Jr." <SHAFFERJ@BKNLVMS> Subject: Re: Outline of Worm Pgms Paper in CACM CRC stands for Cyclic Redundancy Check. CACM is the "Communications of the Association for Computing Machinery." DER, as far as I know, was an error for DES. Don't flame me if I'm wrong; there's getting to be a lot of mail and little time to read it. --Jim ========================================================================= Date: Tue, 30 Aug 88 12:07:13 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: Virus Arguements Hit Home In-Reply-To: Your message of Tue, 30 Aug 88 11:39:49 EDT Dueling Sysops. Sounds like a song subject. Maybe this question has already been brought up but I'm curious what people's thoughts are on the subject. In a recent issue of Computerworld, the subject of viruses and how they fit into insurance costs was raised. On one hand, those paying the insurance feel that they should be compensated for their losses to viruses since they're paying high bills. Insurance companies, though, feel they shouldn't have to pay for another person's behavior. The article listed a few companies that do have provisions for viruses and those who are undertaking the task. I'll put them up if anyone wants them. Frank ========================================================================= Date: Tue, 30 Aug 88 15:30:11 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Jim Marks <JMARKS@GTRI01> Subject: Re: Outline of Worm Pgms Paper in CACM In-Reply-To: Message of Tue, 30 Aug 88 13:13:36 EDT from <XRAYSROK@SBCCVM> Steve, Your suggestion about spelling abbreviations on first use is a good one. It is a fairly well recognized standard for reports, etc., and is a good idea for here. Only the most EXTREMELY common abbreviations should not be done this way, at least on the first use. In reply chains, this should probably not be necessary. I, too, am not familiar with all the jargon and abbrev- iations such as DES. I do know what CRC stands for, although I don't know how to use it. By the way, CACM stands for Communications of the Association for Computing Machinery (ACM). This is the primary journal of the ACM. Jim Marks ========================================================================= Date: Tue, 30 Aug 88 14:22:01 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve <XRAYSROK@SBCCVM> Subject: Assurance I really cannot understand all the fuss about whether Loren is on the up and up. There is not a shred of evidence for, and it is ridiculous to suggest, that Loren might perhaps embezzle the funds for the conference and skip town. The conference money is not very much compared to the loss of reputation, risk of a law suit, and other damages certain to be incurred by such a fraud. I would however suggest (Loren probably already knows this) that a bank account be established solely for handling the conference expenses and that Loren obtain and retain all recipts for all conference-related expenditures. This is good insurance against later accusation. The question about left over monies is a good one, but also what about not enough funds? I think Loren deserves to be thanked for his efforts in setting up and running the conference. Unfortunately, I am too busy to attend. Life is full of risks and if you want to live a full and normal life (maybe even otherwise also), you are forced to take at least some risks all the time. So, you take risks you consider to be reasonably safe. It is always possible that your next door neighbor will run you down with his car just for the fun of it the next time he sees you. It is possible that the cashier will pocket the $20 bills you just handed her and claim that you didn't give her anything (and charge you with assault or robbery should you try to get your money back). But life is always forcing these kinds of risks on you and you must evaluate each risk and the motives and psychological make up of the people involved. It has been said that if you don't take risks, you risk not living. I personally think the conference is a pretty good risk. And a cancelled check is a pretty good receipt. Steve ========================================================================= Date: Tue, 30 Aug 88 16:14:57 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Len Levine <len@EVAX.MILW.WISC.EDU> Subject: Re: CRC vs. encryption schemes In-Reply-To: Message from "Y. Radai" of Aug 30, 88 at 5:20 pm > > A few comments on Jerry Leichter's reply to my question/challenge: > >>It may very well be that, given a program P and its CRC C, with an unknown >>polynomial, I can find another program P' with the same CRC. Note that this >>is a MUCH weaker condition than saying that I can determine the polynomial. > >Agreed. I never assumed that one had to determine the polynomial in order to >forge a CRC. However, it's not enough to say that "it *may* be that ...". If >you can't demonstrate a *method* for doing this in general, you won't convince Perhaps we have two different concerns here. One is the problem of determining if a file that was previously clean had become infected. For this one needs only to look for changes. A CRC will do this, unless the infecting agent is 'smart' enough to add a byte or two of checksums that will cause the CRC generator to show the same CRC. No virus writer can do this if he does not know what CRC polynomial you are using. The second problem involves publishing the CRC so that others may know if distributed code had been changed. For this, you must also publish the polynomial so that others can check the code. Clearly here the polynomial is known and the virus writer can take that into account as he writes his mean stuff. Since in the first case speed is of the essence (I run my checker with each bootup and it takes time), and in the second case, it is less so, we have two problems with two solution sets. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Tue, 30 Aug 88 15:06:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" <LEICHTER@YALEVMS> Subject: RE: CRC vs. encryption schemes Y. Radai writes: I never assumed that one had to determine the polynomial in order to forge a CRC. However, it's not enough to say that "it *may* be that ...". If you can't demonstrate a *method* for doing this in general, you won't convince many people. If we were living in the 1930's, this statement might have some validity. Today, it is extremely naive. The world is full of failed cryptosystems which people relied on because "no one could demonstrate a method" of breaking them. Given advances in the field, the burden of proof should be - and, among people who work on these issues, IS - entirely on the PROPOSER of a system to show that his system is secure, in some sense. (Absolute proofs of security are still beyond us, but proofs if certain problems which are believed to be very hard are, indeed, very hard are possible.) I suggest you read Kahn's "The Codebreakers" and see if you wish to stand by your statement. Since I may have misunderstood something and this might be a more important point than I thought, it should be mentioned that a CRC checker (the same program which I mentioned in my message yesterday) has been written which makes a random choice among almost 70 million irreducible polynomials. Do you think anyone can forge a checksum on that basis? Yes, easily. A common error in this kind of work is not to understand the power of brute force. Your range of possible polynomials is too small to be secure. Suppose I know how your polynomial generator works, and have a copy of ONE file with your checksum for it. I proceed to compute the checksum of the file with all 70 million possible polynomials, comparing the results to the known checksum. Even if it takes a second to compute, I can expect a match in a little over a year. If I'm serious about the search and willing to make an investment in hardware, I can get a result much faster, since the program parallelizes trivially to arbitrary degree. If I get to chose the file - if, for example, you maintain a BBS and I can convince you to add my file to your files and publish a checksum for it for people to check - I may be able to do better. (At a minimum, I can guarantee that the file is short and so can be checked quickly.) What I get out is the actual polynomial - more than I needed. (There's a chance - about 1 in a 100 - that two polynomials produce the same checksum on the given file. A quick check with another file - if you publish one, you'll publish another - minimizes this.) Go to 48-bit polynomials, and this method becomes impractical. But you don't KNOW that other methods don't make the problem absolutely trivial! This program is based essentially on Prof. Michael Rabin's "fingerprint" algorithm, and as you yourself admitted in your contribution of May 9, that makes it cryptographically strong despite the fact that it is CRC-based. I no longer have a copy of my May 9th contribution - I'm fascinated, and complimented, that anyone thought it interesting enough to save and remember - but the use of "admitted" in this context is suspect. It has nothing to do with proof. Rabin's scheme was based on an idea that is common in much of his work, and actually goes back to basic game theory: Using randomization, choose one path from among many. Your adversary can defeat any particular path you choose, but because he doesn't know which one you will choose, he must defeat all of them at once - which he cannot do. Here, "path" is a particular polynomial. Rabin's scheme fails immediately if your opponent knows the particular polynomial you intend to use. As I recall, I speculated that you could get around this by publishing a list of polynomials, and checksums with respect to ALL of them, with the list so long that the adversary could not compute a falsified value that would satisfy all of them but still have an acceptable length. Then you would check a small, randomly chosen subset of the polynomials. For this to work, a suitable list of polynomials would have to be shown to exist: Long enough that fooling all, or even a signficant fraction, of them simultaneously is impossible; short enough that you would be willing to compute and publish ALL the checksums. I don't know of anyone who has shown that such a list can be constructed; it's an interesting problem. -- Jerry ========================================================================= Date: Tue, 30 Aug 88 19:32:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Jim Shaffer, Jr." <SHAFFERJ@BKNLVMS> Subject: Loren's virus conference Could we please take this debate about the conference elsewhere? I don't know where, maybe a user-run mailing list, but I'm a bit tired of it on Virus-L. Probably Jeff is just being over-cautious, and I can't necessarily blame him. But this debate has gotten annoying. ========================================================================= Date: Tue, 30 Aug 88 22:06:11 -0700 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve Clancy <SLCLANCY@UCI> Subject: conference What are the possibilities of publishing some sort of proceedings or recordings of some of the discussions at the upcoming conference for those of us who can't make the trip? ========================================================================= Date: Tue, 30 Aug 88 22:11:02 -0700 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve Clancy <SLCLANCY@UCI> Subject: Re: AT configuration In-Reply-To: Your message of Mon, 15 Aug 88 13:37:42 -0500. <8808151311.aa17665@ORION.CF.UCI.EDU> > I wonder what would be the effect of telling my AT, through some > configuration changes that I have no hard disk. > > I can run a program that permits me to tell the battery operated RAM > package that I have one of 45 or so different hard disks, or by > putting a zero in some location tell it that I have no hard disk. Can > a virus guess what sort of disk I have? What would happen if the > virus guesses wrong? > > Interested in some feedback here. > > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > | Leonard P. Levine e-mail len@evax.milw.wisc.edu | > | Professor, Computer Science Office (414) 229-5170 | > | University of Wisconsin-Milwaukee Home (414) 962-4719 | > | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | > + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + > There is an interesting program called PC-LOCK which will effectively isolate your hard disk (at least on an XT) from the system. Once installed, if a user attempts a hard disk boot, he/she must supply the proper password to gain access to the HD. If booted by a floppy in the A drive, access is also blocked as the HD does not appear to exist, and the user does not have access. This package is shareware. I would be happy to make it available to all in the conference, but I am not sure how to do so. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 ========================================================================= Date: Tue, 30 Aug 88 22:20:49 -0700 Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Steve Clancy <SLCLANCY@UCI> Subject: Flushot trojan horse I recently came across this message from the author of Flushot. I haven't seen it here, unless I've missed it. Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 **************************************************************************** !!OF VITAL IMPORTANCE!! ============================================================================= ATTENTION! ========== THERE IS A TROJAN PROGRAM AFOOT AND IT'S CALL FLU4TXT.COM! IT DID NOT ORIGINATE FROM MY BOARD, OBVIOUSLY. AS OF 3/11/88 THE MOST RECENT RELEASE OF THE FLUSHOT PROGRAM IS 'FLUSHOT3'. THE ARCHIVE CONTAINS A NUMBER OF TEXT FILES, AND FLUSHOT3.COM ITSELF. LEGITIMATE COPIES OF FLUSHOT3 ARE AVAILABLE ON EITHER OF THE BBS'S BELOW, ON GENIE, ON BIX, OR FROM USENET. ABOUT THE TROJAN ================ FLU4TXT.COM IS A TEXT DISPLAY PROGRAM WHICH WILL SHOW YOU SOME OF THE DOCUMENTATION WHICH COMES WITH FLUSHOT3, AND WILL THEN DAMAGE YOUR HARD DISK WHEN YOU EXIT. ADDITIONALLY, IT ALSO PLAYS GAMES WITH THE DISK PARAMETER TABLE. NASTY STUFF. THE WRITER OF THE TROJAN WAS CLEVER: IT IS SELF MODIFYING AND SELF RELOCATING CODE WHICH WILL NOT BE FOUND BY CHK4BOMB. WHAT TO DO ========== PLEASE BE SURE TO TELL ANY SYSOP ON ANY BOARD WHERE YOU SEE THIS PROGRAM (OR AN ARCHIVE CALLED FLUSHOT4) THAT IT IS A TROJAN, THAT IT SHOULD BE REMOVED FROM THEIR BOARD IMMEDIATELY, AND THAT A WARNING MESSAGE SHOULD BE POSTED TO THAT EFFECT. PERHAPS A COPY OF THIS WARNING BULLETIN WILL SUFFICE. !!!DO NOT RUN FLU4TXT.COM!!! IT WILL EAT YOUR HARD DISK *AS*IT*EXITS*!!! WHO DO I CONTACT? ================= IF YOU HAVE QUESTIONS ABOUT FLU4TXT.COM OR ABOUT THE LEGITIMATE SERIES OF FLUSHOT PROGRAMS, PLEASE FEEL FREE TO LEAVE A MESSAGE ON FOR ME ON EITHER OF THE FOLLOWING BBS SYSTEMS: RAMNET ((212)-889-6438), NYACC ((718)-539-3338) OR ON 'BIX' OR VIA 'MCI MAIL' (I'M USER 'GREENBER' ON BOTH BIX AND MCI) FLUSHOT3.ARC IS AVAILABLE ON THOSE BULLETIN BOARDS AS WELL AS MANY AROUND YOU. BEFORE DOWNLOADING A COPY FROM A TRUSTED BBS, PLEASE BE SURE TO ASK THE SYSOP IF THEY HAVE ACTUALLY RUN THE COPY THEY HAVE AVAILABLE FOR DOWNLOAD ON THEIR BOARD. IT IS *YOUR* DISK AT RISK..... ROSS M. GREENBERG ========================================================================= Date: Wed, 31 Aug 88 03:07:01 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: me! Jefferson Ogata <OGATA@UMDD> Subject: caution Apologies to all for extending this debate any further; I merely desire to explain that my primary concern is not that Loren would embezzle funds. I am actually concerned that the conference might not happen. In that case, I will be out $50 for two months or so. This is signifi- cant to me, as I am a college student with not a lot of dough. Fifty bucks will buy me 1.5 textbooks on the average. Putting a conference together, with finding a location, hotel accomodations, arranging for printing and typesetting documents, reviewing papers for presentation, and a zillion other details is a HUGE amount of work. One person working alone and having no experience arranging conferences is likely to find it very difficult. And the semester is about to begin. With that, I drop the subject. - Jeff ========================================================================= Date: Wed, 31 Aug 88 07:31:24 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ken van Wyk <luken@SPOT.CC.LEHIGH.EDU> Subject: Re: Virus Conference Concerns Update In-Reply-To: Your message of Tue, 30 Aug 88 17:24:37 EDT > Other than that, we seem to have a great list of speakers, > panelists and others coming representing a wide variety > of computer security experts and amatuers. Perhaps you could give us all a (partial, at least) list of speakers and panelists? Ken Kenneth R. van Wyk Calvin: Where do we keep the chainsaws? User Services Senior Consultant Mom: We don't have any! Lehigh University Computing Center Calvin: None?! Mom: None at all! Internet: <luken@Spot.CC.Lehigh.EDU> Calvin: Then how am I supposed to learn BITNET: <LUKEN@LEHIIBM1> how to juggle?! ========================================================================= Date: Wed, 31 Aug 88 10:12:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: EAE114@URIMVS Subject: CRCs and Published Keys I'm don't understand the theory behind publishing checksums for programs. In order for this to work, it seems as if you need a secure (un-spoofable) channel for transmitting the checksum. If you DONT do this, then whoever, substitutes infected code for yours can easily also substitute a checksum that matches it. If you HAVE such a secure channel, then why not just transmit the programs, and forget the encryption? EAE114@URIMVS (Eristic/PRose) Disclaimer: This message doesn't exist, objectively. ========================================================================= Date: Wed, 31 Aug 88 09:34:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: LYPOWY@UNCAMULT Subject: Oops! Wrong Address John. This message is to John Stewart, who requested the address for Dr. Ian Witten. I am posting this here because I deleted John's message and thus do not have his address. John, sorry about this, but Ian Witten's address is: calgary.UUCP instead of what I sent you previously. Thanx! Greg. P.S. Loren - I am still waiting on some info from you (I realize how many requests you must have received for such info, so just get it to me A.S.A.Y.C!) ========================================================================= Date: Wed, 31 Aug 88 13:24:00 EST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" <LEICHTER@YALEVMS> Subject: RE: CRCs and Published Keys I'm don't understand the theory behind publishing checksums for programs. In order for this to work, it seems as if you need a secure (un-spoofable) channel for transmitting the checksum. If you DONT do this, then whoever, substitutes infected code for yours can easily also substitute a checksum that matches it. If you HAVE such a secure channel, then why not just transmit the programs, and forget the encryption? This is quite true. However, the checksums and the keys to generate them can be much smaller than the code being protected. Imagine a service of the following form: You pay some amount of money to join up. You are given a sealed box containing a checksummer: It accepts a file as a series of bytes on an ASCII line and displays a checksum. The device is built so as to be very hard to reverse-engineer. Anyone producing a piece of software provides a copy to the service. The service will NOT accept it until it has a verifiable identification of the person. The service then computes the checksum and saves it away for later. When you want to use a piece of registered code, you pick it up from any convenient source, call the registry, ask for the checksum, and compare to what your checksum box claims the checksum should be. Alternatively, the service prints the checksum on some hard-to-forge medium and sends copies to subscribers. (The technology for making hard-to-forge paper and such is long established.) This scheme requires that the checksum function be cryptographically strong: Every subscriber is in a position to calculate the checksum of any piece of text he wishes to. You need to be reasonably confident that this will not help him forge checksums. -- Jerry ========================================================================= Date: Wed, 31 Aug 88 13:13:50 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Ed Nilges <EGNILGES@PUCC> Subject: RE: CRC vs. encryption schemes In-Reply-To: Your message of Tue, 30 Aug 88 15:06:00 EST In connection with the issue of just how hard it is, in general, to break encoding schemes, and the power of brute force in the form of computers, readers of this list should read the Science Times section of the New York Times for Tuesday, Aug 30th: here, the mathematician John Conway of Princeton (and creator of the game of LIFE) offered a reward to anyone who could determine the location of a certain key number in a series. Colin Mallows of AT&T Bell Labs came up with the solution, in part using a computer, in an astonishingly short time. Conway had offered a 10,000.00 reward, which Mallows agreed was a slip of the tongue, or at least the exponent. Mallows kept and framed the check for ten grand, and accepted an alternative reward of 1.0E3 for his grandchildren. ========================================================================= Date: Wed, 31 Aug 88 13:30:03 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: ?$z" After asking a question about finding virus with ResEdit, I tooled around with this utility and came across something strange. Maybe someone has seen or heard of this... Upon opening the desktop, I found two questionable files -- one was simply blank while another had the crytic code: ?$z". I eliminated the blank one, but when I tried to open a Get Info box on ?$z" a bomb dropped. On rebooting, the Mac informed me that my hard disk was in need of repairs. It was repaired with the loss of SuperPaint and Word icons. Opening ResEdit again, I found the file blank. Any guesses? Frank ========================================================================= Date: Wed, 31 Aug 88 13:52:33 CST Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: James Ford <JFORD1@UA1VM> Subject: Pc-Lock >There is an interesting program called PC-LOCK which will effectively >isolate your hard disk (at least on an XT) from the system. Once >installed, if a user attempts a hard disk boot, he/she must supply the >proper password to gain access to the HD. If booted by a floppy in >the A drive, access is also blocked as the HD does not appear to >exist, and the user does not have access. This package is shareware. >I would be happy to make it available to all in the conference, but I >am not sure how to do so. >Steve Clancy, U.C. Irvine, Biomedical Library. Wellspring RBBS 714-856-7996 If I'm not mistaken, there are several versions of Pc-Lock. Version 1.0 is suppose to have some bugs in it that sometimes changes your partition table, thereby nuking most/all of your files. Version 1.1 corrects this problem. Version 3.0 (which is NOT shareware) allows you to have up to 5 passwords (1 administrator and 4 user). Based on which password you enter, you can have your AUTOEXEC.BAT branch to different routines. We have installed it on 31 IBM-PCs w/20M hd, EGA, 640K... and have had (almost) no problems. On 2 machines, we are unable to install it (I think that its a h-disk problem, not related to Pc-Lock). Only the tech people (with a user password 4 set just for them) and the lab supervisor in charge of updating software have access to the hard-drive itself. Since Pc-Lock will allow you to permantly "turn off" CNTL-BRK, your favorite menu program will see to it that students can not run files from drive A or B, thereby reducing the chance that the computer will pick up a nasty bug. James Ford ========================================================================= Date: Wed, 31 Aug 88 14:22:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David D. Grisham" <DAVE@UNMB> Subject: University Standards As the "virus expert" (ha ha) I have been asked to establish Univ. standards for virus Protection-Detection. Would anyone who has set policies, procedures, etc. please share them? Most importantly, I need to evaluate & purchase Anti-Viral software, any recommendations or experiences on this subject would be greatly appreciated. Thanks in advance. I will post a synopsis of your mail and my findings. Dave ****************************************************************************** * * * Dave Grisham * * Senior Staff Consultant Phone (505) 277-8148 * * Information Resource Center * * Computer & Information Resources & Technology * * University of New Mexico USENET DAVE@UNMA.UNM.EDU * * Albuquerque, New Mexico 87131 BITNET DAVE@UNMB * * * ****************************************************************************** ========================================================================= Date: Wed, 31 Aug 88 15:34:59 CDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Frank San Miguel <ACS1S@UHUPVM1> Subject: Re: University Standards In-Reply-To: Your message of Wed, 31 Aug 88 14:22:00 MDT Dave, On your letter asking about virus protection/detection/prevention -- what machines (i.e. IBMs Macs) are you looking at? Also, what kind of money are you planning on spending? As they say, the best is going to cost you big money. Frank ========================================================================= Date: Thu, 1 Sep 88 00:12:03 +0300 Reply-To: gany@taurus Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> Comments: If you have trouble reaching this host as MATH.Tau.Ac.IL Please use the old address: user@taurus.BITNET From: GANY@TAURUS Subject: Flushot's credibility Hi gang, I just read Ross's warning about flutxt4.com . Somehow he sounds very scared, is it because Flushot 3+ (whatever version) isn't good enough to cope with the beast ?? YG ========================================================================= Date: Wed, 31 Aug 88 17:51:35 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: "David A. Bader" <DAB3@LEHIGH> Subject: Flushot's Credibilty!!! >Hi gang, >I just read Ross's warning about flutxt4.com . >Somehow he sounds very scared, is it because Flushot 3+ (whatever n) >versio isn't good enough to cope with the beast ?? > >YG That Flushot4 warning is half a year old. In the meantime, Ross Greenberg has released FluShot Plus (The "Plus" is used so that people would not continue to use the corrupted FluShot that was spreading around) versions 1.0, 1.2, 1.4 (1.3 does not exists; Ross is superstitous). I think that before you start rehashing FluShot as you are doing right now, you should look at FluShot Plus 1.4. The only errors that I have heard about or encountered are with the CMOS memory reads while reading certain floppy disks, and the fact that certain editors (BRIEF?!?) can edit protected files without any type of TSR warning. David A. Bader DAB3@LEHIGH ========================================================================= Date: Wed, 31 Aug 88 16:59:02 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Deba Patnaik <DEBA@UMDC> Subject: Re: University Standards In-Reply-To: Message received on Wed, 31 Aug 88 16:45:44 EDT PC WEEK reports two organizations providing information on combatting the spread of virus software. They are: Software Development Council, Box-61031, Palo Alto, CA 94306 (415) 854-7219 Computer Virus Industry Association, 4423 Cheeny St, Santa Clara, CA (408) 988-3832 Does anyone know, what these organizations provide ? Deba Patnaik Center of Marine Biotechnology/Maryland Biotechnology Institute ========================================================================= Date: Wed, 31 Aug 88 12:53:00 MDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: KEENAN@UNCAMULT Subject: Re: Virus Arguements Hit Home In-Reply-To: Message of 30 Aug 88 11:07 MDT from "Frank San Miguel" I believe there is a general principle in insurance that, except where otherwiseprovided (such as a prizefighters hands being damaged in a bar fight..) the insurance company will refuse to pay if someone else can be held at fault (i.e. sued.) This came up here in Calgary lately with regard to some flooding which was aggravated by cowboy bus_drivers causing tidal waves through the affected communities...insurance refused to pay for the damage since it wasn't a "natural event." ========================================================================= Date: Wed, 31 Aug 88 18:49:20 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Bill MacDonald <O1BILL@AKRONVM> Subject: Dup Mail I recieved the same mail twice from David A. Bader DAB3@lehigh ========================================================================= Date: Wed, 31 Aug 88 19:02:00 EDT Reply-To: Virus Discussion List <VIRUS-L@LEHIIBM1> Sender: Virus Discussion List <VIRUS-L@LEHIIBM1> From: Glen Matthews <CCGM000@MCGILLM> In-Reply-To: In reply to your message of TUE 30 AUG 1988 13:13:36 EDT Sorry about that. CACM stands for: Communications of the Assocation for Computing Machinery. The association's name belies its function; it's actually an association for PEOPLE who use computing machinery. (I never could figure out how someone could arrive at a name like that.) Glen Matthews