VIRUS-L Digest Tuesday, 10 Jan 1989 Volume 2 : Issue 9 Today's Topics: A Humorous? Virus Report from Security List Re: Friday the 13th viruses Re: Disk Protection (Mac) On having a "false sense of security" Security/Virii Article Disk protection (Mac) Mac Write Protect Is Hardware --------------------------------------------------------------------------- Date: Tue, 10 Jan 89 08:01:13 EST From: msmith@topaz.rutgers.edu (Mark Robert Smith) Subject: A Humorous? Virus Report from Security List [Ed. The following forwarded message is obviously another prank, like the modem virus. I'm including it here because a) it was sent in by a reader, and b) it serves as yet another perfectly good example that we can't trust everything that we read. I suppose the appropriate caveat here is that we have to take *any* report of a virus until it can be verified.] Forwarded from the VirusBoard BBS at (225) 617-0862 [sic] Date: 11-31-88 (24:60) Number: 32769 To: ALL Refer#: NONE From: ROBERT MORRIS III Read: (N/A) Subj: VIRUS ALERT Status: PUBLIC MESSAGE Warning: There's a new virus on the loose that's worse than anything I've seen before! It gets in through the power line, riding on the powerline 60 Hz subcarrier. It works by changing the serial port pinouts, and by reversing the direction one's disks spin. Over 300,000 systems have been hit by it here in Murphy, West Dakota alone! And that's just in the last twelve minutes. It attacks DOS, Unix, TOPS-20, Apple II, VMS, MVS, Multics, Mac, RSX-11, ITS, TRS-80, and VHS systems. To prevent the spread of this dastardly worm: 1) Don't use the powerline. 2) Don't use batteries either, since there are rumors that this virus has invaded most major battery plants and is infecting the positive poles of the batteries. (You might try hooking up just the negative pole.) 3) Don't upload or download files. 4) Don't store files on floppy disks or hard disks. 5) Don't read messages. Not even this one! 6) Don't use serial ports, modems, or phone lines. 7) Don't use keyboards, screens, or printers. 8) Don't use switches, CPUs, memories, microprocessors, or mainframes. 9) Don't use electric lights, electric or gas heat or airconditioning, running water, writing, fire, clothing, or the wheel. I'm sure if we are all careful to follow these 9 easy steps, this virus can be eradicated, and the precious electronic fluids of our computers can be kept pure. - --RTM III ------------------------------ Date: Tue, 10 Jan 89 16:52:10 +0200 From: Y. Radai Subject: Re: Friday the 13th viruses Mark Smith asks for info on "virii" [viruses] that act on Friday the 13th. Well, if you're afraid that a virus will do damage on such a date (or any other specific date), the simplest thing you can do is either not to use your computer on that date or else to fake the date. If you have a clock/calendar card, however, you have to be careful, since if your boot sector or one of your system files or one of the files in your AUTOEXEC.BAT file is infected, by the time you get a chance to fake the date, the actual date may already have been taken into account by the virus. Hence if you wish to work on that date, fake the date *one day earlier*. As for detecting/removing viruses, that depends on which virus you have. If you have good reason to think you have the Israeli Friday-the-13th virus, I can send you programs to eradicate it and to prevent future infection. (In order to tell if you have this virus, run your most frequently executed EXE program twice. If its size is increased by 1808 or 3616 bytes, you can assume you've got that virus.) Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Tue, 10 Jan 89 13:29 GMT From: Danny Schwendener Subject: Re: Disk Protection (Mac) >there is a DiskLock DA that simulates the locking of a disk via >software. This includes the ability to lock a hard drive through >software. Does this mean that the MAC is just as susceptible to >viruses over-riding the write protection tab or is software just >written to add the additional possibility of protecting hard drives? The Macintosh File System allows both software and hardware device locking. Hardware locking PHYSICALLY disables write access to the disk. There is NO WAY for a virus to erase or write anything on a floppy with an open protection tab. If the "software lock enabled" flag in the Disk's boot blocks is set, the File Manager assumes that the disks's driver contains code to handle software locking, i.e. the write and format routines first check another flag (the "volume locked" flag) in the boot blocks before they perform their task. For those who don't know the Macintosh's internals, the File Manager regroups all OS calls used by a program to access a disk. In a normal disk configuration, each disk has its own driver code hidden in the disk's boot blocks. When a disk is mounted, the File System loads the driver into memory. When a program wants to access a disk, the File Manager handles the high-level tasks (file and directory operations), but hands block read/write and disk format requests to that disk's driver. A virus could however bypass this command handling: it only needs to have its own driver code. As most Macintosh disks on the market currently are SCSI disks, and there are several SCSI driver sources in the public domain, this should not be a problem. In other words, DON'T TRUST IN SOFTWARE LOCKING AS VIRUS/WORM/TROJAN PROTECTION. Software locking is useful to prevent accidental overwriting of your applications and documents. It is not a long-term protection against purposely ill-behaving programs. Note: the mentioned DiskLock DA does not use the software locking procedure explained above. Instead, it intercepts the File Manager's calls to the driver and performs its own lock checking. - -- Danny Schwendener +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Ean : macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ ------------------------------ Date: Tue, 10 Jan 89 15:36:14 +0200 From: Y. Radai Subject: On having a "false sense of security" In V1 #59c and V2 #5 Dimitri Vulis posted three articles which, on the whole, I consider excellent. However, there was one paragraph which seemed to me a bit illogical, and another which contained what I consider to be a significant inaccuracy. The first was: >Both of these programs [TRAPDISK & HDSENTRY] (and others like them) are >_extremely_dangerous_. They give the user a false sense of security, >while it fact they provide _very_ _little_protection. They offer some >protection against amateurish benign programs, like Brain, that are >not really trying to destroy any data. They would not work against >something like ARC 5.13, which called BIOS through CALL, not via INT, >and you are more likely to run something like it, because you believe >that you're protected, and use less discretion in deciding what to run >on your machine. Were it not for the fact that I have seen this sort of opinion expressed several times before, I probably wouldn't have felt the need to react to it in print now. But the effect seems to be cumulative and now I feel I've seen this "false sense of security" argument once too many. Suppose someone were to argue as follows: "There's no point in locking the doors of your house or car, since a sufficiently clever burglar can break into either of them. Locking them just gives you a false sense of security ...." What would you think of such an argument? I'm willing to bet that Dimitri and others who have expressed the above opinion concerning computer software do lock their houses and cars. Why, then, do they preach differently in the case of anti-viral software? I don't agree that such programs provide very little protection. I think that the viruses (and worms and Trojans) against which they do afford protection (they may be "amateurish" but they're not necessarily benign!) are still in the majority (at least among those viruses which have become widespread). And I think that it is well worth protecting oneself against them, even if more sophisticated viruses exist as well and will become more prevalent in the future. Now I am well aware that no software can give complete security against all conceivable viruses. A month ago, I posted an appraisal of FSP, in which I mentioned several shortcomings which I found in it, including ways of circumventing it. Yet *I continue to use it* because there exist *many* infections which it *can* detect and prevent. I also use PROTECT (which is roughly like the two programs mentioned at the beginning), and a good checksum pro- gram (to detect all virus propagation). (I'm considering using hard- ware protection also.) I know that none of these can prevent all con- ceivable viruses under all conditions. But I still think I'm safer using any given one of them than not using it. The only argument which Dimitri gives for his statement is that one might be lulled into using less discretion in deciding what to run on his machine. Now I would understand this argument in a situation where anti-viral software is sold to naive customers under the false pretense that it will prevent all types of infection. But are we so naive? To give the impression, as Dimitri does, that it is worse to use such software than not to use it, is certainly not correct in general. He doesn't explain just what his notion of discretion consists of, but whatever it may be, why can't we use *both* anti-viral software *and* discretion ....?? The other point: In V2 #5, Dimitri wrote: > ... it reads in the beginning of the directory and checks that >the first 2 files are IBMBIO.COM and IBMDOS.COM (for PC-DOS) or IO.SYS >and MSDOS.SYS (for generic MS-DOS). .... >If these files are there, it reads (using INT 13) the first one (DOS >low-level routines, _not_ BIOS---BIOS is in ROM!) into memory, usually >at 70:0, and jumps there. IBMBIO.COM then loads the rest of DOS. The clause "it reads ... the first one [i.e. IBMBIO.COM or IO.SYS] into memory" is not quite accurate. It seems that what actually happens is that the disk bootstrap routine loads a certain number of sectors, starting from the beginning of the data area, into RAM, under the *assumption* that these contain IBMBIO.COM/IO.SYS. Depending on the implementation, it may also do the same with the following sectors on the assumption that they contain IBMDOS.COM/MSDOS.SYS, or else the former program may load the latter. But if the disk has been tampered with, it is not necessarily these two files which will get loaded. Y. Radai Hebrew Univ. of Jerusalem ------------------------------ Date: Tue, 10 Jan 89 13:26 EST From: "ROBERT M. HAMER" Subject: Security/Virii Article In the January 9 isue of InfoWorld, on page S1, continuing for 5 or 6 pages, there are several articles on computer security, viruses, worms, etc, including a discussion of the now-famous Internet worm. ------------------------------ Date: Tue, 10 Jan 89 10:56 MST From: "Richard Johnson Subject: Disk protection (Mac) > There is much talk about disk protection for the IBM systems. Does > anyone have any Information relating to the MAC system? ... > Does this mean that the MAC is just as susceptible to viruses > over-riding the write protection tab or is software just written to > add the additional possibility of protecting hard drives? > Scott. I assume that by disk protection you mean something along the lines of write protection. 400K and 800K Mac floppy drives from Apple use a pin that tries to fit through the write protect hole on 3.5" disks (at least my drives do). I don't have the drive schematics, but the presence of that pin says to me that write protection on a 3.5" floppy is done in hardware. Hard drives are another matter. I know of no hard drive that can be write-protected via a hardware switch like a floppy drive write protect. All hard drive write protection I've seen for Macs is done in software. What can be done in software can be gotten around later. Of course, with the healthy number of different SCSI drivers out there, a virus that knows how to talk to all of them will be larger than a virus that just uses disk or file manager calls. Richard * Disclaimer: Since I'm self-employed, these * * opinions aren't necessarily those of my employer * ------------------------------ Date: Tue, 10 Jan 89 15:50:20 EST From: Joe McMahon Subject: Mac Write Protect Is Hardware The title says it all. Mac write protect for floppies is hardware and cannot be subverted by software according to Apple. Hard disks are another matter. Why don't Mac manufacturers add on a "Write Protect" switch? Seems simple enough. - --- Joe M. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253