VIRUS-L Digest Friday, 22 Dec 1989 Volume 2 : Issue 267 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: CERT Anonymous FTP available Re: Gatekeeper and Gatekeeper Aid (Mac) 1st Aid Software vs. WDEF (Mac) More information about virus hearing and CPSR statement Beware of AIDS fixes Motivations & Trends Finding the source of the "AIDS disk" New anti-virus and anti-trojan programs at SIMTEL20 --------------------------------------------------------------------------- Date: Thu, 21 Dec 89 11:39:40 -0500 From: Kenneth R. van Wyk Subject: CERT Anonymous FTP available An additional archive site is now available via Anonymous FTP. The machine, cert.sei.cmu.edu, carries a complete set of all CERT advisories to date, the complete (unabridged :-) set of VIRUS-L/comp.virus archives, as well as several virus documents. VIRUS-L/comp.virus information is in: ~ftp/pub/virus-l/archives ~ftp/pub/virus-l/archives/predigest ~ftp/pub/virus-l/archives/1988 ~ftp/pub/virus-l/archives/1989 ~ftp/pub/virus-l/docs CERT advisories are in: ~ftp/pub/cert_advisories This information is made available as a public service. Submissions to the documentation collection are welcomed, appreciated, and should be sent to krvw@sei.cmu.edu. Regards, Ken Kenneth R. van Wyk Moderator VIRUS-L/comp.virus Technical Coordinator, Computer Emergency Response Team Software Engineering Institute Carnegie Mellon University krvw@SEI.CMU.EDU (412) 268-7090 (24 hour hotline) ------------------------------ Date: 21 Dec 89 16:51:03 +0000 From: bgsuvax!denbeste@cis.ohio-state.edu (William C. DenBesten) Subject: Re: Gatekeeper and Gatekeeper Aid (Mac) dmg@retina.mitre.org (David Gursky) writes: > In VIRUS-L Digest V2 #265, "Carl_A.Fassbender" was > asking why the Gatekeeper & Gatekeeper Aid icon did not show up after > he made the files invisible. > > The Mac OS does not load INITs that are part of files with the > Invisible bit set. [Editorial comment: Hey Apple! Why?????] If you > want to have Gatekeeper active, you must have the file visible on the > desktop. Older versions of the system did not do this. Apple started this practice shortly after scores hit the mac. The reasoning is that there were if all inits had to be visible, then viruses would have a harder time hiding from the user. I believe this to be a good decision. On lab disks, I set the entire system folder invisible, but leave the files visible. N.B. this is my interpretation and recollection of timeframes. - -- William C. DenBesten is denbeste@bgsu.edu or denbesten@bgsuopie.bitnet ------------------------------ Date: 21 Dec 89 12:32:00 -0500 From: "WARTHMAN" Subject: 1st Aid Software vs. WDEF (Mac) In VIRUS-L Digest V2 #261, John Norstad writes: > Unfortunately, when the WDEF virus first appeared, none of the > current versions of the most popular virus prevention tools were > able to detect or prevent WDEF infections. This includes Vaccine > 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's > Virex INIT 1.12. Although it may not be one of "the most popular virus prevention tools", I wish to point out that the Anti Virus Kit published by 1st Aid Software was able to detect the WDEF virus without modification to the software or to a resource list. The VirusGuard component of the package is a cdev which, like SAM Intercept, puts up an alert any time a suspicious activity is atempted. Unlike SAM Intercept and the other virus prevention tools, VirusGuard was not fooled by WDEF's attempt to bypass the protection. This is an important characteristic of the new virus. WDEF appears to be a new generation of virus which not only tries to hide from humans but also goes to some length to hide from anti virus software. The war is escalating... I beleive that 1St Aid Software in general, and Bob Reese in particular, deserve some recognition for being the _only_ tool to successfully handle WDEF. In fact, if this package was more widely used perhaps WDEF would have been caught sooner and would have spread far less than it appears to have... 1St Aid Software can be contacted at (617)783-7118. Bob Reese can be reached via: Compuserve 71141,3061 Applelink D3791 Disclaimer: I have no connection with the company or the products, aside from being a satisfied user. -- Jim Warthman ------------------------------ Date: Wed, 20 Dec 89 17:06:21 -0800 From: Subject: More information about virus hearing and CPSR statement I've received several requests for the CPSR statement and for more information about the computer virus hearing. Please send this message along to other networks. The House Judiciary Committee hearing on computer virus legislation will be aired on C-SPAN on Saturday, December 23 (8:45 am to 11:00 am EST) and Sunday, December 24 (1:30 am to 3:35 am EST). For more information, contact C-SPAN at 202/628-2205. The date of the original hearing was November 8. The witnesses included two members of Congress, and representatives from NIST, ADAPSO, CBEMA, and CPSR. The prepared statement of CPSR is available from the Washington Office of CPSR for $5 to cover copying and postage. The complete statement is 26 pages long and contains detailed notes about the virus controversy and computer security policy. A short summary (about 10k) is available by e-mail. If you would like either version, please send me an e-mail note and indicate your choice. For the complete statement, I need your US mail address. Best holiday wishes, Marc. Marc Rotenberg, Director Washington Office CPSR 1025 Connecticut Ave., NW Suite 1015 Washington, DC 20036 202/775-1588 (voice) cdp!mrotenberg@arisia.xerox.com rotenberg@csli.stanford.edu ------------------------------ Date: 22 Dec 89 05:53:51 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Beware of AIDS fixes I've been reading a lot of the traffic about the AIDS trojan disk. I've noticed that a number of places are claiming they have programs that "fix" your disks and/or watch for reinfection. I don't mean to impugn any of those efforts, but let me sound a few notes of caution about these, as with any security software you are offered: 1) How do you know they work? 2) How do you know they don't have bugs that might trash your system? 3) How do you know that they aren't introducing some other trojan or virus into your system while cleaning up something else? In particular, #3 concerns me. Suppose the authors of the AIDS trojan are out there, and have created a "fixer" program that cleans up the AIDS problem but plants a new and far more damaging trojan on the victim's disk. Just think -- everyone is in a panic about the AIDS bit, so they jump at the opportunity to get a fix. Just think how much more wide-spread the result might be than the original AIDS problem. Furthermore, since a fix might have to write to system files and do special operations, warning messages from virus monitors like FluShot+ might be ignored by users as these fixes are run. Of course, #2 is a problem, too. Buggy software is all too common, especially when it is written under pressure. Be very sure you know what you're running. If you don't get source code and build it yourself, be sure to ask yourself how you know it is doing what you think it is. - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: 22 Dec 89 06:19:13 +0000 From: spaf@cs.purdue.edu (Gene Spafford) Subject: Motivations & Trends At various seminars during the past few months, I've been making a few statements about the motives behind viruses and related threats (like the AIDS diskette). I'd like to share them with this audience, too. I hope I'm wrong about these, but.... Theorem #1) The majority of viruses written so far have been done for "sport," by people who have been trying to prove that they can write viruses. Others are possible experiments that got away, and a few specific cases of revenge. Theorem #2) Within a year or so, writing viruses for "sport" will almost cease to happen. They are becoming so well known and such a nuisance, and software guards are such that casual attempts will not be tried nor will they be successful if tried. Theorem #3) We will see more cases of viruses, etc. written as acts of political terrorism and as acts of extortion. Examples of politically-related computer attacks have occurred recently: the Stoned (New Zealand) virus, the Dukakis Mac virus, the FuManchu virus, the NASA "wank" worm, and perhaps the current AIDS trojan horse. These will be much more cleverly written and well-funded attacks as time goes on. (Imagine viruses that flash messages like: "Experiment with Computers, not Animals," "Save the Unborn," "Ban Nuclear Power," "Free Palestine," etc.) Theorem #4) Within the next few years, there will be at least one major problem where some purported anti-viral/security software will be made available, and it will contain a logic bomb or trojan horse in it that causes more damage than what it is supposed to fix. (Minor thesis: the likely author of such software will be someone marketing commercial security software, and the logic bomb version will be a public-domain package not traceable to the author. The purpose -- to discredit public domain anti-virus software.) Theorem #5) Too many people will continue to seek a software solution even though the problem is only partially in software. Thus, we aren't going to see an end to the problem for a long time to come. Comments? Discussion? - -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf ------------------------------ Date: Thu, 21 Dec 89 23:55:53 -0800 From: Nagle@cup.portal.com Subject: Finding the source of the "AIDS disk" It may yet be possible to trace this thing. The perpetrators probably didn't plan on the U.S. invading Panama. If the appropriate authorities in the UK make the proper requests of the US while there are still 24,000 US troops in Panama, the needed information might be extracted. John Nagle ------------------------------ Date: Thu, 21 Dec 89 14:18:00 -0700 From: Keith Petersen Subject: New anti-virus and anti-trojan programs at SIMTEL20 I have uploaded the following files to SIMTEL20, obtained from the HomeBase BBS: pd1: AIDSOUT.ARC AIDS Trojan remover, use after SCANV A-VIRUS1.ARC Information on AIDs Trojan SCANRS52.ARC Resident virus infection prevention program SCANV52.ARC VirusScan, scans your disk for 56 viruses - --Keith Petersen Maintainer of SIMTEL20's CP/M, MSDOS, & MISC archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil, w8sdz@brl.arpa BITNET: w8sdz@NDSUVM1 Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253