VIRUS-L Digest Friday, 21 Jul 1989 Volume 2 : Issue 156 Today's Topics: New PC virus (and really bad news) Re: CMS viruses (IBM CMS) Re: Request for info on viruses (PC) VIRUSCAN tested (PC) On Brain (PC) Re: Corporate culture shift resulting from virus mis(?)information --------------------------------------------------------------------------- Date: Thu, 20 Jul 89 13:54:51 +0000 From: Fridrik Skulason Subject: New PC virus (and really bad news) Subject: A virus that can bypass anti-viral programs. I got a letter yesterday. Translated to English, it reads: Dear Fridrik, Thanks for the publicity you have given to our virus. To show our gratitude, we have placed you on our distribution list. You will from now on receive FREE copies of all our viruses. Enclosed is an update of our first virus, that will bypass every virus protection programs. Expect our program for "improving" SYS-files Real Soon Now. (signed) 4418 and 5F19 The signature is the same as the last two words in the Icelandic virus. By "publicity" they are probably referring to the fact that I have alerted every computer dealer in Reykjavik (all 12 of them that is) to the existence of an Icelandic virus. I guess the last sentence in the letter is the first vaporware announcement by virus authors. The bad news is that the virus will indeed bypass some anti-virus programs. Not all of them - programs that check for file length changes will find infected programs. But - the virus will infect programs, even if programs like Flushoot+ (or my own programs) are installed. It probably will also bypass all programs that just monitor interrupts. I have not finished disassembling it, but I will send a copy of the listing to those who received the disassembly of the first version of the Icelandic virus. ------------------------------ Date: Thu, 20 Jul 89 11:06:24 -0400 From: Valdis Kletnieks Subject: Re: CMS viruses (IBM CMS) >2. neither MVS nor VM could be infected by 16 bytes of code in an none >obtrusive manner... an overwriting virus possibly...!! however these >are both large expensive mainframe SCP(system control programs) note I >didnt include cms in this he is a user interface!! but they most >defintely can be infected!!!!!! First of all, I beleive it was 16 *lines* not 16 *bytes*. Even in assembler, 16 lines will give you 64 bytes of code (assuming average 4/bytes instruction), and more if you allow macro use. I'm unclear what you're saying - are you saying that VM and MVS are systems that "can't be infected non-obtrusively" or that they "can be infected"? I have seen 5-line programs that broke VM. Once you do that, all the rest is just pretty-printing. And the 5-line program was SO unobtrusive that the author literally didn't KNOW for a while that he had done it. It turned out to be a bug in HIS program accidentally exploiting a bug in the SYSTEM. IBM very recently (as an SPE apar to SP/4) fixed a BIG hole in the reader file support, where a sequence of 5 user commands would break a userid. The bottom line is that (a) you can break it (b) if you're good, nobody will notice and (c) sometimes you don't even have to be very good... >3. given the richness of the 2 above environments and both of them >predate any other System control programs currently used now... no >human intervention is necessary for an infection mechanism to >accomplish its designed task!!!! Well, MVS/ESA can trace itself back to 1963 and the OS/360 project. However, CP/67 (the ancestor of VM/SP and VM/XA) dates to almost literally the same month in 1967 as the first attempts to bring Unix up. And both Unix and VM are newer than the venerable Multics (which is still used at a fairly large number of sites). And admittedly MVS and VM *can* both be broken. Otherwise IBM would not have needed to issue 'Statements of Integrity' for them. However, if anything, you got the point here backwards. It is mostly the *newer*, *less mature* systems that are easily attacked and penetrated without human intervention. Remember that MVS has literally 25 years of people breaking into it, while the Macintosh OS has a lot less experience in defending itself. Yes, the older operating systems ARE generally more full-featured. But the features are generally a LOT more robust. >4. to acheive point 3 above... one must be what is knwown in IBM >Parlance as a SYSPROG not just a technical support specialist... in >other words it most likely is not going to be the local 14 year old >sunnyvale hacker!!!(that would implement this code) Ah yes - to break into VM without human intervention DOES require a fair amount of true wizardry. However, you can trust that enough users will run anything that shows up that a trojan horse like the Christmas Card exec is effectively a virus. Yes, technically the Christmas Exec was a trojan horse. However, that didn't stop it from taking out the BitNet academic network and the VNET IBM internal net just as effectively as the Morris worm did to the Internet. Valdis Kletnieks Computer Systems Engineer Virginia Tech ------------------------------ Date: Thu, 20 Jul 89 12:45:51 -0700 From: voder!nsc!berlioz.nsc.com!gwang@apple.com (George Wang) Subject: Re: Request for info on viruses (PC) In article <0003.y8907031857.AA11952@ge.sei.cmu.edu> you write: > We have had the same (c) Brain running around UB for some time now, >but have managed to kill it off. We Have the source code (written in C) for >NOBRAIN, which will remove the bad sectors, and volume. We had picked up >the cure from another University, and put it in all of our micro sites. Can you email me the source code to NOBRAIN? I would like to install it on the school's University computers... We've been having trouble with the Brain Virus and would like to stop it.... Thanks George George Wang VLSI Software Engineer National Semiconductor Gwang@berlioz.nsc.com (408) 721-4365 Voice ------------------------------ Date: Thu, 20 Jul 89 13:09:08 -0700 From: huangcm@iris.ucdavis.edu (Christina M. Huang) Subject: VIRUSCAN tested (PC) I ran VIRUSCAN Version 0.3V27 on some virus infected programs. The following are the ones that it positively identified: Italian (Ping Pong) Den Zuk Jerusalem Pakistani Brain 1701/1704 (Cascade) Alameda Lehigh Vienna (DOS62) April First Icelandic Fu Manchu Traceback Datacrime (1280/116B) - -CH ------------------------------ Date: Fri, 21 Jul 89 09:18:29 -0000 From: A.SIGFUSSON@ABERDEEN.AC.UK Subject: On Brain (PC) I got a copy of PC VIRUS LISTING by Jim Goodwin of a virus archive and I found that the copy of the BRAIN virus I have is different from what he describes. The version I have is the SHOE_VIRUS which has the message "...VIRUS_SHOE RECORD, v9.0. Dedicated to the....." and is said to be a modified version of the Brain-B virus which can infect hard disks. I tried recently to infect a hard disk with it when I was experimenting with the F-PROT protection software but failed to infect the disk. I booted the computer up on an infected floppy, several times, and the virus planted itself in the memory and infected every floppy I inserted after that exept those protected with F-INOC. According to J. Goodwin this version of Brain should infect hard disks but SHOE_VIRUS v9.1 should not. I was wondering if it was the other way around and if anyone has experience of Brain infecting hard disks. Thanks Arnor Sigfusson (A.SIGFUSSON@UK.AC.ABERDEEN) ------------------------------ Date: 20 Jul 89 19:23:42 +0000 From: chinet!ignatz@att.att.com Subject: Re: Corporate culture shift resulting from virus mis(?)information In article <0004.y8907171856.AA19378@ge.sei.cmu.edu> DCD@CUNYVMS1.BITNET writes : >.... I am intrigued by what can only be called the return of MIS: >we all know the corporate Kulturkampf that took place not so many years >ago when microcomputers became readily available--the MIS people (in large >corporations) kicked and screamed, but eventually their power was diluted. >Now, I am seeing reports that their day has returned. Relatively techno- >illiterate upper management sees reports on viruses in Time, etc., and puts >a call in that all decisions on software must be blessed from a newly power- >ful management structure. > [A few examples elided] > >I have no doubt that such corporate shenanigans are taking place all >the time, and would be interested in any comments. > >Thanks for your time in reading this, > > Robert Braham >E-mail: DCD@CUNYVMS1.BITNET >Home: 1315 Third Ave., 4D > New York, NY 10021 > (212) 879-1026 I trust Robert reads this group; otherwise, well, he won't see this. I'm a consultant in the Chicago area, and have been for almost 11 years now. This means I get to encounter the MIS and computer policies of a number of different firms, both Fortune 500 and small ones. Most definitely, the MIS departments are attempting to re-assert their control over computing resources, and use of the current panic concerning possible viruses, worms, and other infestations by crackers is one of the prime tools. Unfortunately, these organizations often have little or no knowledge of the needs of the long-alienated users who now must clear requests through them; many are traditional IBM mainframe managers, who now must deal with the bewildering plethora of packages and utilities available to the micro- and mini-computer user. The (unfortunate) result is that often, only a very few programs and packages are considered 'authorized', and restrictive (and usually unnecessary) controls are placed on procurement and use. Even worse are some organizations who have installed usually unqualified personnel in the newly-created office of "Computer Security." In one unnamed company, this person was a lawyer whose qualifications were that he knew how to use Lotus 1-2-3. Period. In these cases, it's particularly difficult to express the difference between accepting a source copy of a public domain program, and a binary copy--this person passed down a directive that *all* PD software was to be scrubbed ASAP on all corporate machines. It took a **long** training session to explain the difference in verification capabilities, and why we really could safely review and use PD sources. I'm in the position to argue with, and (often) successfully educate such organizations; but this is difficult for "real" employees, since such directives often come from individuals who are high enough in the hierarchy to make disagreement a somewhat risky proposition. Also, the decision makers at this level may well not be computer literate themselves, and have neither the time nor the desire to do so--they want clear, concise advice from their experts, who are often those disenfranchised MIS people. (Who are often not qualified themselves...see above.) This is not a happy-making situation, and I don't have a blanket answer. I think what, perhaps, will give us all the best ammunition to counter the rising hysteria is a clear, well-written text that is targeted at the intelligent layman, describing exactly what the attack vectors are, and what approaches can reasonably protect a distributed computing environment without unnecessary stifling of creative use or access to valuable programs. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253