VIRUS-L Digest Thursday, 17 Oct 1991 Volume 4 : Issue 193 Today's Topics: Re: Experiences with hardware protection (Thunderbyte) Re: Hardware and Software; Re: Forget Turing... Several subjects (PC) Virus Proof Machine ? Re: Manners Re: Hardware, hardware... Anti-virus patent - that date sounds familiar Computer "Anamolies" in books re: More hardware! virus(15xx) (PC) Quesions on Stoned virus (PC) Need Protection (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 16 Oct 91 09:56:59 +0000 >From: Fridrik Skulason Subject: Re: Experiences with hardware protection (Thunderbyte) >I got produkt information about a hardware virus protector called >'Thunderbyte' which intercepts all mysterious writings to the disk, e.g. >absolute ( not through dos ), writing to exe/com files etc. Thunderbyte was reviewed in the Sept '91 Virus Bulletin. It was tested against 183 infected programs. It did stop 114 of them, and in 25 additional cases it detected an attempt to write to the disk. The rest (44 infected files) could be run without activating the card. In some of those cases the virus did not attempt to do anything harmful, so there was nothing for Thunderbyte to detect. - -frisk ------------------------------ Date: Wed, 16 Oct 91 09:56:56 +0000 >From: protonen@daimi.aau.dk (Lars J|dal) Subject: Re: Hardware and Software; Re: Forget Turing... It seems to me that this Turing talk is going along two *different* threads: 1) Can computers (in principle) distinguish between a virus and a "normal" program? 2) Can computers be build to be safe from virus infection? This is two different subjects! So the proof by someone-I-don't-know that 1) is undecidable on a Turing machine should only (or rather at most) discourage people designing programs to detect viruses, not people trying to design a system which cannot be infected. Right? +--------------------------------------------------------------------------+ | Lars J|dal | (put your favourite quotation here) | | protonen@daimi.aau.dk | | |--------------------------------------------------------------------------| | Computer Science Department - Aarhus University - Aarhus - Denmark | +--------------------------------------------------------------------------+ ------------------------------ Date: Wed, 16 Oct 91 10:14:49 +0000 >From: Fridrik Skulason Subject: Several subjects (PC) DR-DOS 6.0 I have been studying the DR-DOS 6.0 password protection a bit, and it seems to protect against most file viruses most of the time. There are viruses which are able to bypass it, and if you ever remove the write-protection (for example when updating a file) you are vulnerable to any "infect-on-copy" type virus. Virus families I am trying to compile a list of PC virus families, in an effort to reduce the naming confusion. There are some problems in defining just what a virus family is. For example, it is not 100% clear if the following groups of viruses should be considered to belong to the same family or not. 1) Jerusalem, Fu Manchu, Plastique and Slow 2) Vacsina and Yankee 3) W13, Vienna, Ghostballs, V2P2 4) Cascade and JoJo Any thoughts on this subject ? F-PROT 2.01 delay The release of version 2.01 has been delayed by a week, so I can add 60 (or so) new viruses from Poland. My E-mail address My E-mail address has changed - it is now frisk@complex.is, but mail sent to frisk@rhi.hi.is should still reach me. - -frisk ------------------------------ Date: Wed, 16 Oct 91 11:29:15 +0100 >From: Chris Stops Subject: Virus Proof Machine ? Hello Netters! I have read with interest the discussion over the last few weeks on hardware vs. software protection, OS/2 viruses and other preventative measures. So I thought it was about time I threw in my own half penny worth of thoughts... For me, the ultimate protection (if there is such a thing) is a new type of PC-like machine, which I will now describe... The machine is based, for arguments sake, on an 80386 running in protected mode, for which I will assume there are no 'back doors' (such as undocumented instructions) by which the protected mode can be breached. (Side note : In fact, the 80286 had a back door, the LOADALL instruction. This loaded ALL of the processor's registers, including the internal ones associated with the protection. However, LOADALL filled the registers with values read from a memory block at absolute location 800h, so this back-door can be closed simply by making sure that the memory at 800h is in a high priority region). The entire operating system (i.e. BIOS, IO.SYS and MSDOS.SYS, but not the external commands) is held in ROM (or EPROM, or something similar. Upgradeable ROMs were recently discussed). Again, I will assume there are no 'back doors' such as undocumented operating system calls by which an application may increase its privilage level. When the machine is switched on, the processor starts executing code from ROM. It sets up any required operating system data areas in the RAM including, for example, the interrupt vector table (or 'interrupt gates' to be more precise). Most importantly, the operating system sets up protected mode before ANY code is loaded from a disk and executed. The protection is such that the code of the operating system kernel and the interrupt gates are at the highest priority and cannot be read or written by any application. Also, all of the hardware I/O ports are similarly protected. Thus, no one can write a boot type virus to sneak in before protection of the operating system is established; No virus can hide in the operating system code itself; No virus attached to an application can hook into the operating system and become resident; And no virus can go down to the hardware. The only way into the operating system is via a well defined interrupt gate. Of course, viruses don't have to become resident to do their dirty work. They can act 'on the fly' just before an infected program is run. In this case, the operating system limits the operations which can be carried out on executable files. For example, executable files may be created (so compilers still work) or may be executed (of course!). But they cannot be opened for read access. Nor can their executable status be altered to look like a data file (e.g. in DOS terms, *.EXE becomes *.DAT, the 'DATA' file is processed, then *.DAT is renamed back to *.EXE). If we still allow executable files to be deleted, then about the only sort of virus left is an overwriting virus, which deletes an application and then creates a copy of itself using the name of the application. But since the applications will no longer run, it should be obvious that something is wrong with the machine. To allow copying of executables (e.g. from floppy to HD) there would need to be a new operating system call for copying files, becuase, of course, no application (e.g. COPY) can read the source file! Now of couse, there will be some users who want/need read/write access to their executable files. In this case, we could have a three position switch inside the machine, mapped into a protected I/O location. It functions as follows... Position A All attempts to read an executable file are stopped. Maybe a box could flash up to warn the user. The machine would be shipped with the switch in this position, so non-technical users are safe. Position B All attempts to read an executable file result in a dialogue box on the screen. The user may allow or stop the access, and this would be useful for semi-technical users. The user would be suspicious if 'KINKY.EXE' tried to read 'WP.EXE', but not if an updating program tried to change an executable. Position C All attempts to read an executable file are allowed. Users do this at their own peril! In fact, earlier I mentioned an overwriting virus that could operate if deletion of executables was allowed. Maybe this could also be controlled by a similar switch. Similar protections could be put on batch files, if required, although a batch file virus would be easier to spot. Now that the operating system is so well protected, we have a problem. Not only can no virus modify it, but no extensions can be added either, for example, new device drivers. The virus proof way around this is that new drivers are supplied on ROMs which can be plugged into the machine, and patched into the O/S during initialisation. A slightly less secure approach is that drivers are loaded off a disk. They execute at a priority below that of the main kernal, but above that of the applications software. Then, the only way a virus could spread is for a disk device driver to spot another disk device driver while accessing a disk, and then infect it. But I think that the effect of such a virus would be negligable. Any comments anyone? Is a totally ROMed version of the machine virus proof? Is there a hole somewhere? I have a gut feeling that any holes would eventually map down to a hole in the processors protected mode. After all, surely the idea of a protected mode is that you can build a protected system? This protected system also has another advantage: Manufactures can use their own hardware and O/S software (as long as it is compatible at the application interface) since no application can contain system dependent code! So we get more open systems! Of course, my machine would probably be incompatible with Mess-DOS. But then, isn't it about time we establised a new microcomputer standard based on at least 32 bits of data and address? Chris. ------------------------------ Date: 16 Oct 91 10:27:45 +0000 >From: groot@idca.tds.philips.nl (Henk de Groot) Subject: Re: Manners turtle@darkside.com (Fred Waller) writes: >The thread is lost to me but someone wrote not long ago: > > This whole thread is rediculus. > > -------..... -------.....-------- > > I hope this will stop this stupid converstion. > The subject of hardware protection is not ridiculous nor is the > series of articles on it a "stupid conversation". If a given > subject is of no interest to someone, s/he can always skip it. > Or marshall argument, if not agreeable. I was the one who wrote it. It was about the write-protection on floppy. You deliberately left out the article that was between the lines, explaining why it was rediculous and the coverstion stupid. I wrote that the write protect tab on a floppy will not prevent virus spread, at best slows it down. Every infection via floppy went trought the cycle write virus to floppy -> read virus from floppy. The write protect tab has to be removed in the first stage and therefor doesn't help. The virus can only spread if the floppy is written on an infected system, but that is true for every spread of a virus via floppy. The only advantage of a write-protect tab I am able to see is that you prevent the spread of a floppy to all your other floppy's. As soon as you have to write to one of your floppies houever the virus will copied with it. I hope you understand wat I'm saying: The virus will continue to spread, even if you use a write protect tab. This is so because whatever you do, once you will have to write to your floppy and remove the tab (unless you have only static data on your floppy's, in which case I wonder what you are doing with your floppy's anyway). Presenting the write-protect tab as the ultimate solution gives a false sence of security. You only slow down the process of spreading but does not stop the spread. > However, qualifying someone else's postings as "ridiculous" or > the articles as "stupid conversation" is not likely to cause the > targeted author(s) to stop writing or to change their mind. In > fact, it's almost guaranteed to have the opposite effect. True if I only wrote these two lines without explanation. I explained it and made it clear why. Unless you are able to point out something is incorrectly in my posting, I think the argument stands and makes the converstion indeed stupid. > Mature persons do not reject contradiction; they handle it. > Inability to face contradiction is a sign of immaturity. Mature persons will react on the original contents and not lift out the conclusions only. > Fred Waller > turtle@darkside.com Henk. - -- / / Henk de Groot | Department: PG 9000i - System Services /---/ __ __ / V2/A12-A13 | Internet : groot@idca.tds.philips.nl / / (-_ / / /( Tel: +31 55 432099 | == PHILIPS INFORMATION SYSTEMS == Disclaimer: I only speak for myself, not for my employer! ------------------------------ Date: 16 Oct 91 11:03:16 +0000 >From: groot@idca.tds.philips.nl (Henk de Groot) Subject: Re: Hardware, hardware... RADAI@HUJIVMS.BITNET (Y. Radai) writes: > Henk De Groot writes: >> If you claim that a virus can not go >>resident on your system than that implies that your system is clean. >>If your system is clean you can not infect a floppy, protected or not! >I am not going to get involved in the hardware issue per se; I only >wish to take exception to the above statement of yours. Haven't you >heard of [several direct-action viruses] You are right, the virus doesn't have to go TSR. The original article however talked about a virus going TSR. The reaction was that this was not possible because the system was not infected yet. I replied that if you have a virus-free system you don't have to use a write-protected floppy either, you will not infect the floppy if your system is clean. >phrases such as "rediculus" and "this stupid converstion" [sic]. Read the thread, understand what is said and you will either have comments on my contribution (if I overlooked something) or conclude that useing a write-protect tab leads to nowhere. Kind Regards, Henk. - -- / / Henk de Groot | Department: PG 9000i - System Services /---/ __ __ / V2/A12-A13 | Internet : groot@idca.tds.philips.nl / / (-_ / / /( Tel: +31 55 432099 | == PHILIPS INFORMATION SYSTEMS == Disclaimer: I only speak for myself, not for my employer! ------------------------------ Date: Wed, 16 Oct 91 09:37:00 -0500 >From: Ken De Cruyenaere 204-474-8340 Subject: Anti-virus patent - that date sounds familiar >"David.M.Chess" > >I've just run across an interesting U.S. patent. It's number >4,975,950, granted to Stephen A. Lentz, entitled "System and Method of >Protecting Integrity of Computer Data and Software". The filing date >is November 3, 1988. ^^^^^^^^^^^^^^^^ That is the day after RTM launched the infamous internet worm. Coincidence ? (I have just finished reading CYBERPUNK, so was able to confirm the date in part 3 of the (interesting) book: RTM) - --------------------------------------------------------------------- Ken De Cruyenaere - Computer Security Coordinator - Computer Services University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2 Bitnet: KDC@CCM.UManitoba.CA Voice:(204)474-8340 FAX:(204)275-5420 ------------------------------ Date: Wed, 16 Oct 91 10:58:28 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Computer "Anamolies" in books While "Shockwave Rider", "When Harlie was 1", and "The Adolesence of P1" were all works treating self aware computers and worms, the earliest reference I know of computers (programs) taking over other computers goes back to Heinlein's "The Moon is a Harsh Mistress" published in the early sixties (from memory). "Adam Selene" was the non-de-guerre used by the program/computer/AI (never really described), but it did spread through the local communications network. Padgett ps Just bought a marvelous program for making my laptop's VGA screen MUCH easier to read - "Laptop Ultravision" from Personics (508)897-1519 (plug). ------------------------------ Date: 16 Oct 91 13:00:57 -0400 >From: "David.M.Chess" Subject: re: More hardware! >From: turtle@darkside.com (Fred Waller) > In fact, if we could just >stop ONE virus, the old Stoned, we would have prevented the great >majority of viral infections in the USA! But the Stoned continues >on its merry way, and software antiviruses have not been able to >stop its advance. But hardware antiviruses haven't stopped its advance, either! That is, there are both hardware and software solutions that can completely protect any given machine against the Stoned. And they've both failed (in the global sense) for the same reason: not enough people are using them. My suspicion (and, again, I'd love to be proven wrong in actual practice) is that software hasn't done more than it has primarily because it isn't widely-enough installed, *not* primarily because it's software rather than hardware... DC P.S. The 1813 (Jerusalem) is still up there near the Stoned; I think we'd have to stop both of them before we could claim to have the great majority! *8) ------------------------------ Date: Wed, 16 Oct 91 18:02:19 +0000 >From: samba.acs.unc.edu!Kelvin.Lee@mcnc.org (Kelvin Lee) Subject: virus(15xx) (PC) My floppy disk was infected by a virus called [15xx]. The disk only contains a self-extracted exe file. I've already cleaned the disk, however now whenever I try to run the file, I've got a message saying out of memory. So, is there any utility that I can use to fix this problem? Thank you for your help. ------------------------------ Date: 16 Oct 91 18:45:12 +0000 >From: sph0301@UTSPH.SPH.UTH.TMC.EDU ( ) Subject: Quesions on Stoned virus (PC) Could someone please answer a basic question about the Stoned virus... Given an uninfected system and an infected floppy containing ONLY data files, no executables, not a bootable disk...what actions by the user can cause the PC to become infected? I know that trying to boot from this infected disk can do it, but what about copying files, looking at the directory, etc? sph0301@utsph.sph.uth.tmc.edu ------------------------------ Date: Wed, 16 Oct 91 15:58:18 -0400 >From: RICH BASILE Subject: Need Protection (PC) Would the powers to be please inform me on how to get a hold on the newest versions of Mcafee and F-PROT. Here at the Universtiy of Akron, we still use Mcafee 3.5V63, and we only have F-PROT 1.16. RICHARD BASILE UNIVERSITY OF AKRON MICROCOMPUTER SYSTEMS SUPPORT ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 193] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253