VIRUS-L Digest Thursday, 26 Jan 1989 Volume 2 : Issue 27 Today's Topics: PC hardware protection (PC) re: Request for definition of worms and trojan horses. Re: [LICHTBLS@DUVM.BITNET: nVir (init 29) (Mac)] Virus Prevention Guidelines --------------------------------------------------------------------------- Date: Thu, 26 Jan 89 15:02:51 GMT From: Martin Ward Subject: PC hardware protection (PC) I have been considering the problem of trying to add some protection against Trojan Horse (and by implication virus-infected) programs to a PC. With a standard PC there appears to be NO protection against a malicious Trojan which lies dormant for a while (ie carries out its advertised function) and suddenly decides to trash all your file (or just change a random byte in a random file). This is because any program has total access to any bit of the hardware. Hence the only protection is a regular backup (the Trojan which randomly changes small areas of data could still take a while to find and therefore could do a lot of damage). Other operating systems (eg UNIX) have protection mechanisms which (barring loopholes) prevent a user from accessing or modifying files he does not have permission for. This could be extended to the concept of "program" permissions: when an untrusted program is about to be run a trusted supervisor program gives write permission to only those files the untrusted program is allowed access to and then runs the program under that user id. To implement this system on a PC requires extra hardware, (here is where I need some help from someone with more knowledge of PC hardware): I imagine a two-position switch (physical, hardware switch). In one position it allows full access to the disk and to an internal "permissions" table. In the other position it denies access to the "permissions" table and prevents access to any files not listed in the table. Moving the switch from the second to the first position should cause an automatic cold boot (this is so that a malicious program cannot "pretend" it has terminated and fool you into moving the switch). To execute an untrusted program you run a trusted program which looks up the files allocated to the untrusted program (in a file), sets up the permissions table and requests that you throw the switch. It then waits for the switch to be moved and automatically runs the program. No "untrusted" program should have access to the boot tracks, command.com files etc. or any executables, and should not be able to create "bad" sectors. Hence the cold boot which occurs when the switch is moved back to the "trusted program" position should be perfectly safe. Comments on the practicality etc. of this idea are welcomed! Martin. My ARPANET address is: martin%EASBY.DUR.AC.UK@CUNYVM.CUNY.EDU JANET: martin@uk.ac.dur.easby BITNET: martin%dur.easby@ac.uk UUCP: ...!mcvax!ukc!easby!martin Quote: "If God had intended Man to Smoke, He would have set him on Fire." ------------------------------ Date: 26 January 1989, 10:07:43 EST From: David M. Chess Subject: re: Request for definition of worms and trojan horses. Well, the definitions we tend to use around here are something like this: A bug is something that a program does that neither the programmer nor the user intended. A Trojan horse is a program that does something that the programmer intended it to, but the user did not. (And, generally, that the user would not have approved of had he/she known about it.) A worm is a program that sends copies of itself through a network. A virus is, to quote Fred Cohen, "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself". A program infected with a virus is usually a Trojan horse, since it does at least one thing (infecting other programs) that the user doesn't know about, and wouldn't approve of. The (a?) key difference between a worm and a virus is that a virus is a code-fragment that hides within and spreads between *programs*, whereas a worm is a complete program (or program-set) that runs on and spreads between network- attached *computers*. In a very deep theoretical sense, the two are different versions of the same thing (instructions that make copies of themselves at other places in a computing environment); but in practice, a program is different enough from a network-attached system that it makes sense to draw a distinction. The Internet thing back in November was a worm, not a virus. A copy of Pandas in Space that has been hacked to include code that erases all your files (but doesn't spread to other programs) is a Trojan horse, but not a virus or a worm. Something like that... DC [Ed. Thank you for the clear definitions. I received a plethora of similar definitions of virus/worm/trojan today; thanks to *everyone* who took the time to send in theirs! I've included (only) this one here, not because it's any better (or worse) necessarily, but to cut down on redundancy/traffic. J.D. Abolins made a very interesting point in the definition that he sent in: "Tom Kummer, in a recent posting, asked what is the difference between Trojan Horse program and worms as compared to viruses. Before I post an off-the-cuff reply, I must mention that the terminology for 'bogusware' is very fluid. The use of any word such as virus, worm, etc. has to be interpreted in the context of the person using the word and the actual workings of the program in question. 'One man's virus is another man's worm.'" This points out the fact that there is much confusion (particularly in the media) as to the meaning of the above terms. We must try to take such reports with a grain of salt, and figure out for ourselves what the author meant. The media still refers to the Internet Worm as the "Internet Virus"...] ------------------------------ Date: Thu, 26 Jan 89 11:16:09 EST From: Joe McMahon Subject: Re: [LICHTBLS@DUVM.BITNET: nVir (init 29) (Mac)] >Subject: nVir (init 29) (Mac) > > I have encountered this new strain of nVir on a bunch of Mac II's >with Interferon, but have not been able to successfully eradicate the >infection. Also Ferret, VirusRx, and virus detective are not able to >identify this virus. The virus also shows up as a code segment ID 255 >or 256 which is 712 bytes long as previously noted. What is the best >way to eradicate this "thing"? Is this new strain of any potential >danger to documents saved on a different disk or will it just cause >memory problems when the infected machine is used? The INIT 29 virus is not a strain of nVIR. It is much more dangerous. INIT 29 is far more infective than any Mac virus yet known. It gets into *EVERYTHING*. Documents, font (suitcase) files, printer drivers, the Desk Top file (the real one!); just about everything except (for some reason) MacPaint files. When an infected program is run on a clean system, the INIT gets installed into the System file. When an infected program is merely COPIED TO A DISK, the Desk Top file gets infected. Next boot, it infects every file with a resource fork that gets opened during the work session. *Inserting* a disk into an infected system will infect its Desk Top file, unless it is locked. If it is locked, you will get the "Disk needs minor repairs" dialog. DON'T FALL FOR IT! This is caused by the I/O error caused by the virus being unable to infect the Desk Top file. Unlocking the disk and reinserting it will get you. It patches itself into applications, adding a new CODE segment with an ID 1 larger than the highest-numbered CODE resource. Bytes 9, 10, 11, and 12 of CODE 0 are patched to point to the virus; these bytes are moved to bytes 16, 17, 18 and 19 of the virus. For some reason, multiple copies of the virus get copied into some applications. The only application which can clean up infected *documents* (not applications) is VirusDetective(tm) 2.0. It is already configured to do so. Use its "delete infection" option to erase the INIT 29 resource. Applications should be replaced from clean copies. You might try using the patch information noted above for irreplaceable applications. This is a very, very nasty virus. BE CAREFUL! GateKeeper should probably be able to stop it; I don't think Vaccine is totally resistant to it. Virus Detective 1.2 does not dependably remove the infection: it does not deal properly with locked resources, whereas the virus DOES. It may tell you that it has deleted the infection, when it has done no such thing. --- Joe M. ------------------------------ Date: Thu, 26 Jan 89 13:12 EST From: Roman Olynyk - Information Services Subject: Virus Prevention Guidelines Computer World (Jan. 9) had a article which referenced virus prevention guidelines: "Del Jones, managing director of the National LAN Laboratory in Reston, VA., has issued a set of guidelines on virus prevention and control endorsed by about 70 manufacturers." A subsequent reference to another CW article didn't discuss these guidelines. Can anyone help me get a handle on these guidelines or where I might actually find them? ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253