VIRUS-L Digest Monday, 24 Apr 1989 Volume 2 : Issue 97 Today's Topics: Worms and Trojan Horse talk at NETCON. Request for guest speakers. Re: McAfee's SENTRY a-v software (PC) Congress catches the computer virus bug... Using Checkfunctions For Virus Detection (General Interest) BALL VIRUS (PC) --------------------------------------------------------------------------- Date: Fri, 21 Apr 89 18:52 EDT From: John McMahon - NASA GSFC ADFTO - Subject: Worms and Trojan Horse talk at NETCON. Conference Announcement: NETCON 1989 - A meeting of BITNET users in Baltimore, Maryland during Memorial Day weekend will feature the following speakers during the Saturday technical sessions: David Bolen - Speaking on the XYZZY utility Valdis Kletnieks - Speaking on RELAY Version 2 John McMahon - Speaking on Worms, Trojan Horses and Computer Networking. For further information contact Reba Taylor at REBAT@VTVM1.BITNET and Joe Ogulin at P12I1798@JHUVM.BITNET I figured that was a good way to plug my upcoming talk at NETCON 1989. For those of you who are curious, "Worms, Trojan Horses and Computer Networking" will be an hour (or so) long talk where I will be doing a novice level review of three networking "events". The CHRISTMAS EXEC Trojan Horse (and similar) on BITNET, The Father Christmas Worm on SPAN/HEPNET, and (of course) the Morris Internet Worm. I plan to point out during my talk that BITNET is beginning to coexist with other networks (e.g. JNET over SPAN & HEPNET, BITNET2 over NSFnet) and that an "attack" on another network can affect BITNET. Similarly, I am going to talk a bit about "the costs" that a worm attack can incur. Costs in wasted time, personnel, network resources and the legal costs. Obviously I want to discourage this kind of foolishness (worms), my machine is on several networks! If you are interested in attending, or wish to learn more about NETCON, please contact Reba Taylor at REBAT@VTVM1 and/or Joe Ogulin at P12I1798@JHUVM.BITNET Any questions/suggestions/comments about my talk can be directed to me... +------------------------------------+-----------------------------------+ |John "Fast Eddie" McMahon |Span: SDCDCL::FASTEDDY (Node 6.9) | |Advanced Data Flow Technology Office|Arpa: FASTEDDY@DFTNIC.GSFC.NASA.GOV| |Code 630.4 - Building 28/W255 |Bitnet: FASTEDDY@DFTBIT | |NASA Goddard Space Flight Center |GSFCmail: JMCMAHON | |Greenbelt, Maryland 20771 |Phone: x6-2045 | +------------------------------------+-----------------------------------+ ------------------------------ Date: Sat, 22 Apr 89 16:12 EST From: Space, the final frontier.... Subject: Request for guest speakers. I've been recently elected secretary of the Xavier University chapter of the ACM and I'm sending out a request for guest speakers on the subject of viruses/worms/trojan horses for the fall semester of this year. If anyone is interested or knows of someone that would be interested, please contact me. My address is KUMMER@XAVIER.BITNET. Thanks in advance, Tom Kummer ------------------------------ Date: Sat, 22-Apr-89 13:20:56 PDT From: portal!cup.portal.com!Gary_F_Tom@Sun.COM Subject: Re: McAfee's SENTRY a-v software (PC) In VIRUS-L #2.96, David Bader writes about John McAfee's SENTRY anti-viral program, and concludes that "frankly --it is worthless." I tried SENTRY myself before forwarding it to the VIRUS-L moderator, and I'd like to try to address David's concerns. David states: > I followed the instructions on installation, and it automatically > places itself in autoexec.bat and reboots (maybe John, you could have > told me that you were going to modify my file, or that you would do a > cold boot - for me, it matters.) The SENTRY.DOC installation instructions state: "The SENTRY installation will re-boot your system and then begin its logging function. It will create a log file called SENTRY.LOG and store it at the root of your boot disk. It will then install the SENTRY check routine at the root of your boot disk and include it as the first program in your autoexec.bat routine. SENTRY.COM MUST REMAIN THE FIRST INSTRUCTION IN YOUR AUTOEXEC IN ORDER TO OPERATE CORRECTLY." In addition, the SENTRY installation program prints a message that it is "Ready to re-boot this system," warns the hard-disk user to remove any floppy disks, and prompts for a key-press before automatically re-booting. I thought the instructions and the program messages were clear enough about what would happen during installation. I was only surprised that installation took much less time than I thought it would, knowing that the program had to scan the entire disk directory and examine every executable file. > Anyway, After Sentry did a check of filesize and a random checksum > at the beginning, middle, and end of every file on my harddisk, it > told me nothing. After its initial installation, there is nothing to tell. David might have misunderstood the purpose of SENTRY. It assumes that you start with a virus-free system environment, and attempts to detect viral infections by warning you of changes in that environment. The installation process does not look for pre-existing viruses, so no messages about them are printed. > Ok, so I run Sentry a second time just to see what happens and I get > told my interrupt vectors have changed and I should contact someone > because that could mean a virus. Have you ever heard about > FASTOPEN, or FluShot Plus, or one million other programs that I give > permission to to take over my interrupt vectors? As emphasized in the installation instructions, SENTRY must be run as the first program in AUTOEXEC.BAT (that is, immediately after booting and loading CONFIG.SYS drivers) in order to work correctly. The interrupt vectors and programs are checked against the log at that time. If they match, then after that it doesn't matter which of those programs you load or what interrupt vectors they use -- they should all be free of viruses. > ... And then, after taking a minute to scan all my files, I would > appreciate "XXXXX file changed since last use" - NOT "3 files were > modified". Useless, John, absolutely useless. This comment baffles me. My experience has been that whenever SENTRY finds a changed file, it stops, displays the filename and a message about what has changed, and then waits for the user to press a key. For example: WARNING - The file C:\UTIL\LIST.COM has different time. A VIRUS INFECTION MAY HAVE OCCURRED PLEASE SEE THE SENTRY USER MANUAL FOR INSTRUCTIONS PRESS ANY KEY TO CONTINUE Only at the end of its checking does it print a summary line: 250 files checked. 1 changes detected. Perhaps David is using an older version of SENTRY, not the one that I sent to Ken. In any case, I hope that David's unhappy experience does not dissuade interested parties from trying the program out for themselves. For me, SENTRY offers a good combination of safety (provided by early detection of possible infections), convenience (automatic checking whenever the machine is booted), compatibility (no interrupt vector or memory buffer conflicts), and performance (checking is fast, re-installation is fast, and since it is non-resident, it does not take cpu cycles or memory away from other programs). It's true that SENTRY does not prevent viral infections from occurring, nor does it remove viral infections once they have occurred. As a tool for quickly detecting new viral infections, however, I find it to be far from "useless." Gary Tom garyt@cup.portal.com sun!portal!cup.portal.com!garyt ------------------------------ Date: Sun, 23 Apr 89 14:45:08 EST From: dmg@mwunix.mitre.org Subject: Congress catches the computer virus bug... I received the following message from the internal security conference at MITRE. I thought others here might have some observations on this... David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------- Forwarded Message Forum-Transaction: [0753] in the >site>forum_dir>bb meeting Transaction-Entered-By: LGMartin.SAISS@DOCKMASTER.ARPA Transaction-Entered-Date: 24 Feb 89 16:42 EDT The Senate Judiciary Committee is holding a public hearing on viruses on Tuesday, 28 February 1989, in Room 226 of the Dirksen Senate Office Building from 1000 to 1300. I have not heard who is going to testify, but I assume it is preliminary to any vote on the Virus Eradication Act of 1989. Larry. [Ed. Meeting delays deleted...] ====================================================== Forum-Transaction: [0755] in the >site>forum_dir>bb meeting Transaction-Entered-By: JWilliams.Grapevine@DOCKMASTER.ARPA Transaction-Entered-Date: 28 Feb 89 10:36 EDT I have commented on the draft of HR 55 as of 1/27/89, and it is essentially similar in wording to Al's citation, except that I believe it now invokes a maximum penalty of 20 years. Be that as it may, I believe much work is needed on the wording: for instance, it appears that to me that the Internet Worm would not have been illegal if it had functioned as intended: a one-time surreptitions invasion, and low-level reproduction. ======================================================= Forum-Transaction: [0756] in the >site>forum_dir>bb meeting Transaction-Entered-By: AArsenault.Standards@DOCKMASTER.ARPA Transaction-Entered-Date: 1 Mar 89 08:30 EDT Thanks, Mike, for the update. Of particular concern to me in the bill is that it doesn't seem to do a good job of defining precisely what is illegal. Based on the '88 text, it seems clear that if I give you a program that I know has a bug in it, and don't tell you, I'm guilty under this bill. (Granted, I should not have given you a program with a known bug without telling you, but I really don't think that that was what the bill's authors had in mind.) What's worse, I'm not sure I'm safe from prosecution if I give you a text editor/word processing package that works properly! (Why do I say that? Because every text editor/word processor I know of has commands that can cause "damage" - by deleting things! Thus, the case comes down to a question of whether or not I "told" you about the damage that can be done by using the delete commands. I've seen a lot of documentation that did NOT have big red warning signs all over the place, warning people about what can happen. And then, of course, since DOS has a command that will let me format my hard disk, and that's not well documented at all, maybe we can start going after people big time. A felony for shoddy documentation!) (Of course, one can defend against prosecution by claiming that the text editor /word processor/operating system did in fact contain documentation describin what could happen if the user wasn't careful. But then, so could the writer of a "real virus". After all, if one ran the executable file through a debugger before execution, one would see the ASCII strings identifying the file as a virus, and warning that executing it would be hazardous to one's health.) Al NOTE: THE ABOVE OPINIONS ARE MINE. MINE AND NOBODY ELSE'S. UNDER NO CIRCUMSTANCES SHOULD THEY BE INTERPRETED AS REPRESENTING ANYBODY ELSE - OR ANY ORGANIZATION, WHETHER I WORK FOR IT OR NOT!! ON TOP OF THAT, I AIN'T NO LIARYER, JUST A PLAIN AND HUMBLE LAYMAN WHAT SPEAKS UP OUT OF TURN ON OCCASION. [Ed. More meeting delays...] ------- End of Forwarded Message ------------------------------ Date: Sun, 23 Apr 89 16:53:37 EST From: dmg@mwunix.mitre.org Subject: Using Checkfunctions For Virus Detection (General Interest) I've been going through the Virus-L archives doing some background for my work on viruses here at MITRE. I'm up to late June of last year, when there was a strong debate about the merits of using a checkfunction to detect the presence of viruses in applications. To remind everyone, the consensus at that time was that using a checkfunction in such a manner would only be effective against the simplest of viruses, that an advanced virus would be resiliant against detection in such a manner. I believe it is possible to use a checkfunction in a constructive manner to detect even the most advanced computer viruses, and it involves a technique called a "cryptographic checkfunction". In a normal checkfunction, your have an arbitrarily long string x (which is really an application) that you apply to function [f(x)] that results in the value for your checkfunction value. A cryptographic checkfunction adds an addition function [lets call it q(x)] that encrypts an arbitraily long string. Instead of making the result of f(x) being the checkfunction value, the result of f(q(x)) is the checkfunction value. Any foreign data (z) inserted into x would not only have to take into account how the checkfunction [f(x)] operates, but how the encryption algorithm [q(x)] operates. This task can be made even more difficult by choosing a key for q(x) that is dependent upon x itself. [In other words, suppose your have the string X1 X2 X3 X4. You apply this string to q(x) and the result is Y1 Y2 Y3 Y4. Now suppose you have a virus string Z1 Z2 that inserts itself into X1... so you now have (for instance) X1 X2 X3 Z1 Z2 X4. The result of applying this to q(x) would be something like Y1 Y2 Y3 A1 A2 A3, instead of Y1 Y2 Y3 A1 A2 Y4.] A problem with this is key-dependent encryption algorithms are not exactly speed demons, but the new generation of microprocessors may have the horse- power for them to be used effectively. Comments anyone? David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Mon, 24 Apr 89 14:23:12 TST From: Koyun@TRBOUN Subject: BALL VIRUS (PC) HI! I HAVE AN IBM PC-XT COMPATIBLE. LAST DAY WHEN I LOOKED FOR A PROGRAM I SEE THAT ONE OF MY PROGRAM WAS DESTROYED.THERE WAS A BAD CULSTER ON IT. WHEN I TRY TO VERIFY HARDDISK SUDDENLY A BALL OCCURED AND BEGAN TO HIT BORDERS AND LETTERS,AND WHEN I TRY TO VERIFY IT OCCURS AGAIN. IF SOMEBODY KNOW ANYTHING ABOUT THIS VIRUS OR HAVE AN INJECT,PLEASE SEND ME . MY ADRESS IS KOYUN@TRBOUN.BITNET THANKS..... TAN KOYUNOGLU BOSPHORUS UNIVERSITY ------------------------------ End of VIRUS-L Digest Downloaded From P-80 International Information Systems 304-744-2253