VIRUS-L Digest Tuesday, 18 Apr 1989 Volume 2 : Issue 92 Today's Topics: hardware write locks Review of THE COMPUTER VIRUS CRISIS Amiga Floppy Write Protection possible new VIRUS (PC) The Laplink III Virus (PC) --------------------------------------------------------------------------- Date: Mon, 17 Apr 89 15:41:50 CDT From: "Len Levine" Subject: hardware write locks >From: Bruce Ide > >If the virus needs to access the disk to spread why not have the >computer manufactorers modify their HARDWARE slightly so that any disk >writes are questioned? It would get irritating to users, true, but if >you don't specify save and a write occurs, I expect it would be >questioned and perhaps the user would even have enough sense to deny >access... This idea as I have it now is very rough... With some >polishing, it might be ok, but you've probably had ones like it >before, and I could probably read all about it if I felt like digging >through several years worth of archives :) There are such products commercially available. They permit tracks on the hard disk to be markded as read-only, track by track. Because of the use of FAT, however, this requires that entire logical devices be made read-only or read-write. I have one such commercial device and it works just fine. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ Date: Mon, 17 Apr 89 17:11:46 EST From: Mark Paulk Subject: Review of THE COMPUTER VIRUS CRISIS The following review was done for IEEE Computer and may be of some interest to the VIRUS-L readers. I have added some of my notes which summarize the errors and misleading statements I saw in the book after the review. If anyone notes any factual errors in the review, please e-mail me, and I'll try to correct them before publication. - - ------------------ THE COMPUTER VIRUS CRISIS Philip Fites, Peter Johnston, and Martin Kratz (Van Nostrand Reinhold, New York, NY, 1989, 171 pp.) The objective of THE COMPUTER VIRUS CRISIS is to inform personal computer users about the virus phenomenon. It is written for people without in-depth technical backgrounds. THE COMPUTER VIRUS CRISIS defines viruses, worms, and Trojan horses, and the types of thing that viruses have and can to do computers. Famous viruses such as the MacMag, nVir, and Brain viruses are described. High risk practices are discussed, and "safe hex" practices recommended. Software for preventing, detecting, and recovering from viruses is discussed, and anti-viral software packages are listed, along with contacts for obtaining the software. I looked forward to reviewing this book. Computer viruses are a hot topic. Viruses have allegedly been written by 14-year-olds (the HyperAvenger virus). Approximately 350,000 Mac uses were reportedly hit by the MacMag virus. Unfortunately THE COMPUTER VIRUS CRISIS is not the book that I want. THE COMPUTER VIRUS CRISIS is aimed at a non-technical audience. Schoolteachers, accountants, or managers may find it fascinating, but for software professionals the technical content is minimal. As such its value to a professional audience is small. The list of antiviral software packages may be of value, but such a list quickly becomes dated. One concern is the statement in some package descriptions that "no indication is given in the documentation as to whether this is freeware, shareware, or a commercial product." I have to feel that the book was rather hastily put together if the status of the antiviral packages is not available. In reviewing the technical content of the book, I counted 18 statements that I considered misleading or erroneous. These errors ranged from the fairly trivial to what I consider serious mistakes. For a trivial example, Fred Cohen being credited as having coined the term "virus." Len Adleman is generally credited with having coined the term; Dr. Cohen is credited with doing the first serious research in computer viruses. A more serious example is the suggestion that you can be exposed to a virus if you are on a net even if you practice "safe hex." While you may be exposed to a worm program if your computer is networked, viruses are not related to computer networks at all. A virus is a program that reproduces by modifying existing programs and files. A worm is a program that replicates itself through a network. The distinction can blur at times, and the term virus has been misused in the media so much that its technical meaning is seriously compromised (the Internet worm was originally reported as the Internet virus). Fites, Johnston, and Kratz define virus correctly in THE COMPUTER VIRUS CRISIS, even pointing out that viruses need not be malicious (a point frequently overlooked in today's turmoil). However, they state that worms alter data and code whenever they can get access. Neither viruses nor worms are inherently malicious. Shoch and Hupp's original work with worms at Xerox PARC ("The Worm Programs - Early Experience with a Distributed Computation," CACM, March, 1982, pp. 172-180) was aimed at harnessing unused resources. Research in this area has significant implications for parallel computing. Fites, Johnston, and Kratz consult on computer security and legal issues, and this bias leads to some interesting, if questionable, statements. First, that most viruses spread through various violations of copyright laws or licenses. Second, that piracy has been a major cause of a lot of problems, including buggy programs and vaporware (the statement is also made that vaporware comes from releasing buggy versions of program, but the definition in the glossary is correct). Third, that games are specifically targeted by viruses. There is even a brief discussion of security problems such as piggybacking communication lines, traffic analysis, and the salami technique. While I certainly would not wish to appear to condone software piracy, viruses are eclectic in their attacks. They are just as happy to attack a licensed spreadsheet program as a bootlegged game - and the attack proceeds in the same manner. The only example of a specific application being attacked that I am aware of is the ERIC and VULT targeting by the Scores virus (ERIC and VULT were internal proprietary trade secret developments at EDS that Scores checks for specifically). THE COMPUTER VIRUS CRISIS reiterates one recommendation, however, that I agree with wholeheartedly. "Backups are the single most important action you can take to protect yourself against viral attack. They are also the lowest cost." Backups are vital even if you are never infected by a virus. A disk crash can be much more damaging than a virus. In summary, THE COMPUTER VIRUS CRISIS appears to have been written quickly. It has numerous inconsistencies and errors and is not written for a technical audience. A non-technical audience, however, would find the book of some value. A technical audience would find the ongoing discussion on the VIRUS-L BITNET newsgroup, moderated by Kenneth van Wyk of Lehigh University, of much more value until a better book is written. Mark C. Paulk Software Engineering Institute - - ---------------------------------------- Fred Cohen coined the term "virus" (5) worms alter data and code whenever they can get access (6,155) 350,000 Mac uses were hit by the MacMag virus (9) basis? exposed to virus if you are on a net even if you practice "safe hex" (11) mainframes in different configurations even with same OS may not be very vulnerable to virus (12) Brain virus variation infecting Mac systems (30) PLO virus infects Amiga systems (36) anthropomorphic virus in example acting as worm (47) virus may spread through e-mail (50) IBM Christmas card was large high-res graphics picture (50) viruses can hide in CMOS (60) misleading? games are specifically targeted by viruses (77) most viruses spread through various violations of copyright laws or licenses (79) virus can infect program during development (81) misleading? vaporware comes from releasing buggy versions of program (84) def is right (154) piracy has been a major cause of a lot of problems, including buggy programs and vaporware (85) an original, non-bootable diskette ... there's no system on the diskette to get infected (88) some anti-viral packages: no indication is given in the documentation as to whether this is freeware, shareware, or a commercial product (143) many viruses are also worms (155) ------------------------------ Date: Tue, 18 Apr 89 4:14:57 EDT From: Sean Casey Subject: Amiga Floppy Write Protection Someone stated a short while back that Amiga floppy disk write protection could be disabled in software. This is not true. The floppy disk drive hardware has a hardware write interlock. There is absolutely positively no way in the universe to write to an Amiga floppy drive if the disk is write-protected. An Amiga floppy is 100% protected from attacking viruses if it's write protected. This information was posted a while back to the Usenet comp.sys.amiga newsgroup by at least one Commodore-Amiga technical staff member, and by Dale Luck, one of the original designers of the Amiga 1000. Sean Casey - -- *** Sean Casey sean@ms.uky.edu, sean@ukma.bitnet *** What, me worry? {backbone|rutgers|uunet}!ukma!sean *** ``A computer network should be considerably faster than a slug.'' -Me ------------------------------ Date: Tue, 18 Apr 89 10:42:03 PDT From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: possible new VIRUS (PC) This is a new one on me. Do you know anything about this possible new virus? I have contacted the originator of this E-mail msg and asked for more details. - ------- Original-Date: 17 Apr 89 21:04:15 GMT Original-From: atariman@bsu-cs.UUCP Original-Subject: DEN ZUK virus HELP!!! I work for a University Department called Computer Competency. Just recently we have been starting to be attacked by the DEN ZUK virus. It seems to render the disk useless after re-booting a few times. I am sure that we are not the first place that this virus has hit, so I will not discuss the details. What I need is help on how to get rid of the virus. Any program, technique, anything would be helpful. This is rather a timely problem, so help as soon as possible would be appreciated. The department has just about conquered Macintosh viruses, it would be nice if we could stop the IBM viruses before they really get started. Thank you for any help. Jeff Scott Computer Competency Department Ball State University ------------------------------ From: "Len Levine" Subject: The Laplink III Virus (PC) Date: Tue, 18 Apr 89 14:21:09 CDT Quoted without permission. The April 10 issue of InfoWorld on Page 11 has a 1/4 page article titled: New Laplink Capable of Reproducing Viruslike Data-Transfer Programs Self-Replicate on Remote PCs by Mark Brownstein Hoping to prove that not all computer viruses are bad, a pair of data-transfer programs that use viruslike, self-replicating code to reproduce themselves on remote PCs is being prepared for release later this year. Laplink III from Traveling Software will be capable of replicating itself onto another system, according to Mark Eppley, president of Traveling Software. The $139.95 software, which is designed to pass data between two PCs, will be capable of detecting if a target computer does not have Laplink installed. If the system detects that the target computer does not have Laplink, it will install the program and initiate the data transfers. [ ... material deleted about speed, shipdate, another system called Fast Lynx from Rupp Corp. that uses a 7 conductor serial cable, and phone numbers ... ] I called Traveling Software at 1-800-343-8080 and asked to speak to a technical person. I identified myself as a University Professor in Computer Science and asked "Does this permit me to connect my laptop with a desktop PC showing the A> prompt and have my laptop transfer Laplink III to the desktop." She said: (here I raise my hand in affirmation) "Yes it does." I then asked if it was necessary to turn either machine on. She was not sure. I then asked to speak to a specialist. The specialist had a different story. She said that the newspaper article had some errors. She said that it was necessary to run Laptop III on the laptop and to execute some mode commands on the desktop and (as I remember it) a copy command. She said that the advantage of the Laptop software was that it was not necessary to have a disk with you that fit the desktop in order to mount the software on the pair. I agreed with the technique and with the advantage of using such a system. We may rest easy. This new software does not sneak down the wire and infect your office machine. For a moment there I was in grave doubt. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253