VIRUS-L Digest Wednesday, 25 Jan 1989 Volume 2 : Issue 25 Today's Topics: Clarification on "Otto's principles" re: Checksum programs and Otto's principles Request for definition of worms and trojan horses. Friday the 13th worm at Digital Equipment Corp. --------------------------------------------------------------------------- Date: 25 January 89, 12:01:07 MEZ From: Otto Stolz Subject: Clarification on "Otto's principles" Yisrael Radai writes: > the propositions mentioned by Otto were stated much earlier These propositions were never meant to be an original statement of mine. Rather, I sent an answer to somebody having posted a virus-related question in the LIAISON list, and I thought this would be intersting to VIRUS-L subscribers, as an example how to present basic ideas to "the public". Regrettably, I was not aware that the message-header (which would have revealed my intention) was bound to be stripped off during VIRUS-L's digesting process. Hence, in similar cases, I'll have to prepare a separate copy of my note for VIRUS-L to include a suitable introductory statement. Otto ------------------------------ Date: 25 January 1989, 09:26:57 EST From: David M. Chess Subject: re: Checksum programs and Otto's principles Y. Radai's reply to me in v2n24 is largely well-taken. I didn't mean to imply that the scheme I described was itself a perfect virus defense, although it probably sounded that way. All I meant to suggest by the example is that there is *some* hope for anti-virus schemes in which it will do the virus writer little or no good to have the source of the anti-virus program, and that it will therefore not forever be the case that anti-virus efforts must depend on the ignorance of the virus authors. Radai, if you're going to tell us about the "loopholes" anyway, why not just list them here, to give us something to think about while we await the finished paper? (I have no particular advice about whether or not to reveal them, although I think it's unlikely that a decision by you not to talk about them would do much to keep the virus writers from discovering them!) On "no mechanism can exist that cannot be infected": again, I think that's too strong ("never say never..."). A virus would have a hard time infecting a progra stored in ROM, for instance: if the ROM was clean when burned (and it's certainly possible to verify that), it'll stay that way, no? In general, of course, it's a good idea to think about ways that a virus author could get around any particular anti-virus scheme. But I don't think we'll *necessarily* see an unending escalation. DC ------------------------------ Date: Wed, 25 Jan 89 11:35 EST From: Cincinnati Bengals. Subject: Request for definition of worms and trojan horses. Could anyone give me a definition of what a trojan horse and a worm is, and what makes these different from viruses? Thanks Tom Kummer ------------------------------ Date: Wed, 25 Jan 89 14:40:34 est From: ubu!luken@lehi3b15.csee.lehigh.edu Subject: Friday the 13th worm at Digital Equipment Corp. >From Digital News, January 23, 1989 issue (author Stephen Lawton): "A late-night, Friday-the-13th worm that entered Digital Equipment Corp.'s internal Easynet network in Maynard, Mass., earlier this month bit off more than it could chew. A systems manager spotted the abnormal activity 'virtually as it entered' and was able to segregate the infected system before the worm could spread, according to the company. Spokeswoman Nikki Richardson said the infected system was disconnected immediately from the network while a vaccine program was developed and installed. The system was returned to the network before employees arrived for work Monday morning, she said. Unlike a virus, which replicates itself and destroys or modifies data, a worm only replicates itself. Digital would not disclose what type of system was involved, although Richardson said she believes it was a VMS-based system, the predominant system on the network." Interesting... It's nice to hear that DEC was able to stop it before it caused any harm, I imagine that a congratulations is in order if the report is accurate. The scary part about the report, in my opinion, is the definition of virus vs. worm; it's blatantly wrong. In "Computer Viruses: Theory and Experiments" (Computers & Security 6 (1987) p. 22-35), Fred Cohen defined a virus as, "...a program that can 'infect' other programs by modifying them to include a possibly evolved version of itself." There's no mention of destroying or modifying data there. In fact, in his dissertation, Dr. Cohen even used an example of a virus that could be worthwhile, a "compression virus" that would compress executable files on disk in order to save disk space. Ken ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253