VIRUS-L Digest Friday, 5 Jan 1990 Volume 3 : Issue 5 Today's Topics: Gatekeeper/Disinfectant Problem! (Mac) Re: Virus Trends (and FAXes on PCs) SCANV53 (PC) Introduction to the anti-viral archives UNIX anti-viral archive sites Apple II anti-viral archive sites Atari ST anti-viral archive sites Amiga anti-viral archive sites Macintosh anti-viral archive sites IBMPC anti-viral archive sites Documentation anti-viral archive sites Uses of MACs Against Viruses VIRUS-L Digest V3 #4 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 04 Jan 90 12:04:00 -0400 From: Michael Greve Subject: Gatekeeper/Disinfectant Problem! (Mac) I originally sent out this message on MACNET but nobody could help. We have a networked lab with 16 machines. We have both Gatekeeper and Gatekeeper Aid. We are currently using Disinfectant 1.5. We can use Disinfectant to check each machine for viruses but when we actually try and disinfect a machine we get a Gatekeeper violation message. I've set Gatekeeper correctly but still it won't let me disinfect. I used the Gatekeeper settings that are mentioned in the about section of Disinfectant. Still it will not work. The only way I can disinfect the lab machines is to boot up off a floppy (that doesn't have Gatekeeper on it) and then run disinfectant. This can be a hassle on the consultants machine when students come in and have various viruses on their disks. We also have SAM and have set that in Gatekeeper but still get the same message when trying to disinfect. Any ideas, help or assistance would be greatly appreciated. Michael Greve U. of Pa. Wharton Computing greve@wharton.upenn.edu ------------------------------ Date: 04 Jan 90 17:40:26 +0000 From: ras@rayssdb.ssd.ray.com (Ralph A. Shaw) Subject: Re: Virus Trends (and FAXes on PCs) Nagle@cup.portal.com says: > - A FAX message is a bitstream interpreted by an interpreter at > the receving end. Could it be induced to do something interesting > through the use of illegal bit patterns? Group III is probably too > simple to be attacked, but group IV? Imagine a message which > causes a FAX machine to send an extra copy of transmitted documents > to another location. Something that has come to the attention of security paranoids here lately is that some manufacturers of PC FAX boards have added a feature that allows the FAX modem to be used as a bisync modem to communicate with the PC directly, rather than transmitting just FAXes. I assume the PC would have to be running some software to enable it and reassign the console (requiring local intervention), but a networked PC could then prove to be a leak onto the corporate network, (or at least, for handy distribution of the Trojan-of-the-month program). Added to this is the promise that at least one FAXboard vendor promises that both async and bisync modem capability will be available in the future. I don't have the details of which boards provide this "feature", or of what functionality is really there via this inboard modem and accompanying software, but will pass on any other details I can ferret out. - -- Ralph Shaw ras@rayssd.ray.com ------------------------------ Date: Thu, 04 Jan 90 10:24:40 -0800 From: Alan_J_Roberts@cup.portal.com Subject: SCANV53 (PC) The following is forwarded from John McAfee: SCAN Version 53 has a serious problem with false alarms on the 4096 virus. The version was unfortunately included in the last-minute monthly FidoNet distribution and is therefore in the hands of a lot of people. If you have version 53 of SCAN please do not use it. Version 54 is available on CompuServe, Homebase and most of the Fidonet hubs. My apologies to anyone inconvenienced by my error. John McAfee ------------------------------ Date: 04 Jan 90 03:26:11 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Introduction to the anti-viral archives # Introduction to the Anti-viral archives... # Listing of 03 January 1990 This posting is the introduction to the "official" anti-viral archives of VIRUS-L/comp.virus. With the generous cooperation of many sites throughout the world, we are attempting to make available to all the most recent news and programs for dealing with the virus problem. Currently we have sites for Amiga, Apple II, Atari ST, IBMPC, Macintosh and Unix computers, as well as sites carrying research papers and reports of general interest. If you have general questions regarding the archives, you can send them to this list or to me. I'll do my best to help. If you have a submission for the archives, you can send it to me or to one of the persons in charge of the relevant sites. If you have any corrections to the lists, please let me know. The files contained on the participating archive sites are provided freely on an as-is basis. To the best of our knowledge, all files contained in the archives are either Public Domain, Freely Redistributable, or Shareware. If you know of one that is not, please drop us a line and let us know. Reports of corrupt files are also welcome. PLEASE NOTE The Managers of these systems, and the Maintainers of the archives, CAN NOT and DO NOT guarantee any of these applications for any purpose. All possible precautions have been taken to assure you of a safe repository of useful tools. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:31:23 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: UNIX anti-viral archive sites # Anti-viral and security archive sites for Unix # Listing last changed 30 September 1989 attctc Charles Boykin Accessible through UUCP. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index For further details send a message with the text help The administrative address is sauna.hut.fi Jyrki Kuoppala Accessible through anonymous ftp, IP number 128.214.3.119. (Note that this IP number is likely to change.) ucf1vm Lois Buwalda Accessible through... wuarchive.wustl.edu Chris Myers Accessible through anonymous ftp, IP number 128.252.135.4. A number of directories can be found in ~ftp/usenet/comp.virus/*. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:29:54 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Apple II anti-viral archive sites # Anti-viral archive sites for the Apple II # Listing last changed 30 September 1989 brownvm.bitnet Chris Chung Access is through LISTSERV, using SEND, TELL and MAIL commands. Files are stored as apple2-l xx-xxxxx where the x's are the file number. cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Apple II index for the virus archives can be retrieved as request: apple topic: index For further details send a message with the text help The administrative address is uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:30:11 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Atari ST anti-viral archive sites # Anti-viral archive sites for the Atari ST # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Atari ST index for the virus archives can be retrieved as request: atari topic: index For further details send a message with the text help The administrative address is . panarthea.ebay Steve Grimm Access to the archives is through mail server. For instructions on the archiver server, send help to . uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:29:34 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Amiga anti-viral archive sites # Anti-viral archive sites for the Amiga # Listing last changed 30 September 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Amiga index for the virus archives can be retrieved as request: amiga topic: index For further details send a message with the text help The administrative address is ms.uky.edu Sean Casey Access is through anonymous ftp. The Amiga anti-viral archives can be found in /pub/amiga/Antivirus. The IP address is 128.163.128.6. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow Lionel Hummel The archives are in /amiga/virus. There is also a lot of stuff to be found in the Fish collection. The IP address is 128.174.5.54. Another possible source is uihub.cs.uiuc.edu at 128.174.252.27. Check there in /pub/amiga/virus. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:31:05 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Macintosh anti-viral archive sites # Anti-viral archive sites for the Macintosh # Listing last changed 07 November 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The Mac index for the virus archives can be retrieved as request: mac topic: index For further details send a message with the text help The administrative address is ifi.ethz.ch Danny Schwendener Interactive access through DECnet (SPAN/HEPnet): $SET HOST 57434 or $SET HOST AEOLUS Username: MAC Interactive access through X.25 (022847911065) or Modem 2400 bps (+41-1-251-6271): # CALL B050 Username: MAC Files may also be copied via DECnet (SPAN/HEPnet) from 57434::DISK8:[MAC.TOP.LIBRARY.VIRUS] rascal.ics.utexas.edu Werner Uhrig Access is through anonymous ftp, IP number is 128.83.144.1. Archives can be found in the directory mac/virus-tools. Please retrieve the file 00.INDEX and review it offline. Due to the size of the archive, online browsing is discouraged. scfvm.bitnet Joe McMahon Access is via LISTSERV. SCFVM offers an "automatic update" service. Send the message AFD ADD VIRUSREM PACKAGE and you will receive updates as the archive is updated. You can also subscribe to automatic file update information with FUI ADD VIRUSREM PACKAGE sumex-aim.stanford.edu Bill Lipa Access is through anonymous ftp, IP number is 36.44.0.6. Archives can be found in /info-mac/virus. Administrative queries to . Submissions to . There are a number of sites which maintain shadow archives of the info-mac archives at sumex: * MACSERV@PUCC services the Bitnet community * LISTSERV@RICE for e-mail users * FILESERV@IRLEARN for folks in Europe uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. wsmr-simtel20.army.mil Robert Thum Access is through anonymous ftp, IP number 26.2.0.74. Archives can be found in PD3:. Please get the file 00README.TXT and review it offline. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:30:47 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: IBMPC anti-viral archive sites # Anti-viral archive for the IBMPC # Listing last changed 16 December 1989 cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The IBMPC index for the virus archives can be retrieved as request: ibmpc topic: index For further details send a message with the text help The administrative address is f.ms.uky.edu Daniel Chaney This site can be reached through anonymous ftp. The IBMPC anti-viral archives can be found in /pub/msdos/AntiVirus. The IP address is 128.163.128.6. mibsrv.mib.eng.ua.edu James Ford This site can be reached through anonymous ftp. The IBM-PC anti-virals can be found in PUB/IBM-ANTIVIRUS Uploads to PUB/IBM-ANTIVIRUS/00UPLOADS. Uploads are screened. Requests to JFORD1@UA1VM.BITNET for UUENCODED files will be filled on a limited bases as time permits. The IP address is 130.160.20.80. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. uxe.cso.uiuc.edu Mark Zinzow This site can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pc/virus. The IP address is 128.174.5.54. vega.hut.fi Timo Kiravuo This site (in Finland) can be reached through anonymous ftp. The IBMPC anti-viral archives are in /pub/pc/virus. The IP address is 130.233.200.42. wsmr-simtel20.army.mil Keith Peterson Direct access is through anonymous ftp, IP 26.2.0.74. The anti-viral archives are in PD1:. Simtel is a TOPS-20 machine, and as such you should use "tenex" mode and not "binary" mode to retreive archives. Please get the file 00-INDEX.TXT using "ascii" mode and review it offline. NOTE: There are also a number of servers which provide access to the archives at simtel. WSMR-SIMTEL20.Army.Mil can be accessed using LISTSERV commands from BITNET via LISTSERV@NDSUVM1, LISTSERV@RPIECS and in Europe from EARN TRICKLE servers. Send commands to TRICKLE@ (for example: TRICKLE@AWIWUW11). The following TRICKLE servers are presently available: AWIWUW11 (Austria), BANUFS11 (Belgium), DKTC11 (Denmark), DB0FUB11 (Germany), IMIPOLI (Italy), EB0UB011 (Spain) and TREARN (Turkey). - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: 04 Jan 90 03:30:29 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: Documentation anti-viral archive sites # Anti-viral archive sites for documentation # Listing last changed 03 January 1990 cert.sei.cmu.edu Kenneth R. van Wyk Access is available via anonymous ftp, IP number 128.237.253.5. This site maintains archives of all VIRUS-L digests, all CERT advisories, as well as a number of informational documents. VIRUS-L/comp.virus information is in: ~ftp/pub/virus-l/archives ~ftp/pub/virus-l/archives/predigest ~ftp/pub/virus-l/archives/1988 ~ftp/pub/virus-l/archives/1989 ~ftp/pub/virus-l/docs CERT advisories are in: ~ftp/pub/cert_advisories cs.hw.ac.uk Dave Ferbrache NIFTP from JANET sites, login as "guest". Electronic mail to . Main access is through mail server. The master index for the virus archives can be retrieved as request: virus topic: index The index for the **GENERAL** virus archives can be retrieved as request: general topic: index The index for the **MISC.** virus archives can be retrieved as request: misc topic: index **VIRUS-L** entries are stored in monthly and weekly digest form from May 1988 to December 1988. These are accessed as log.8804 where the topic substring is comprised of the year, month and a week letter. The topics are: 8804, 8805, 8806 - monthly digests up to June 1988 8806a, 8806b, 8806c, 8806d, 8807a .. 8812d - weekly digests The following daily digest format started on Wed 9 Nov 1988. Digests are stored by volume number, e.g. request: virus topic: v1.2 would retrieve issue 2 of volume 1, in addition v1.index, v2.index and v1.contents, v2.contents will retrieve an index of available digests and a extracted list of the the contents of each volume respectively. **COMP.RISKS** archives from v7.96 are available on line as: request: comp.risks topic: v7.96 where topic is the issue number, as above v7.index, v8.index and v7.contents and v8.contents will retrieve indexes and contents lists. For further details send a message with the text help The administrative address is lehiibm1.bitnet Ken van Wyk new: This site has archives of VIRUS-L, and many papers of general interest. Access is through ftp, IP address 128.180.2.1. The directories of interest are VIRUS-L and VIRUS-P. uk.ac.lancs.pdsoft Steve Jenkins Service for UK only; no access from BITNET/Internet/UUCP Terminals : call lancs.pdsoft, login as "pdsoft", pwd "pdsoft" FTP : call lancs.pdsoft, user "pdsoft", pwd "pdsoft". Pull the file "help/basics" for starter info, "micros/index" for index. Anti-Viral stuff is held as part of larger micro software collection and is not collected into a distinct area. unma.unm.edu Dave Grisham This site has a collection of ethics documents. Included are legislation from several states and policies from many institutions. Access is through ftp, IP address 129.24.8.1. Look in the directory /ethics. - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Thu, 04 Jan 90 14:33:00 -0500 From: WHMurray@DOCKMASTER.ARPA Subject: Uses of MACs Against Viruses First, let me take this occasion to apologize to Y. Radai for my offenses of style and hyperbole. Then I would like to comment on his discussion that appeared in VIRUS-L, Vol. 3, Issue 4 on the indicated cross-over point for sophistication of the algorithm in generating authenticators for programs. I tend to agree with most of his observation as they relate to the use of the authenticator to recognize the contamination of a program in the target execution environment. However, I think that I speak for Bob Bosen as well as myself when I suggest that we both have in mind another use. Bob posits the use of a MAC to ensure that programs are received as they were shipped. This use offers some protection against contamination of a program during transit from its trusted author to the point of use. I go a little further. I suggest that programs be digitally signed by their originators. (For more reasons than need be listed here, I currently recommend RSA MailSafe for this application. This is a hybrid implementation which uses a block-product cipher for processing the program and RSA for key-management and distribution.) This use not only enables the user to know that the program has not been changed since original shipment from the author, but also enables the author to disown any late changes. If the end-user does not know or trust the author, but relies upon some inter-mediate authority, such as the NCSC, or his own management, then the program can be countersigned by this authority. Note that for this application more time and resource would be available for an attack. In addition multiple people would have to rely upon the same algorithm or mechanism. These two requirements argue for a strong alogrithm of known strength, i.e., a "standard" one. We argue that the provenance of a program or other data item is essential to confidence in it. Immutability contributes. While immutable media, such as CD-ROM, and a record of custody can be made to work in special cases, digital signatures can be made to work in most. They are independent of the media and move with the program. Thus we argue for an additional use that has different requirements than those considered by the other discussions. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Thu, 04 Jan 00 19:90:52 +0000 From: greenber@utoday.UU.NET (Ross M. Greenberg) Subject: VIRUS-L Digest V3 #4 > I now come to Ross Greenberg's posting in Issue 266. > ...But Ross implies that users will always prefer a >"good enough" fast checker like that of FluShot+ over a slow sophisti- >cated one. But can we be so sure that FluShot+ is really good enough? Well, I didn't mean to imply that the method used in my own code was sophisticated at all. However, to date, it seems to be good enough: no virus infection on a checksummed program has gotten through (to my users knowledge, naturally) without detection. I can only assume that lack of reporting can be equated to lack of infection -- I know that such thinking leads to strange numbers coming from strange organizations and (as such) can just ask you to prefix everything below with an "I think" or an "I feel". Anyway, that's what I mean by "good enough". For those users really worried over things, two checkers would be a good idea. >How many of its users have the slightest idea how its security com- >pares with that of other programs? The users have to trust the program author of any security product. As such, they have to trust that, if a virus were to infect files with a "zero differential" on the checksumming method I use, that I'd change the checksuming method. Yes, there has to be a trust in your vendor. The real world and the theoretical world do not always agree.... > I don't know whether his algorithm >satisfies condition (B) above, but it certainly does not satisfy (A), >i.e. for any given file all users will get the same checksum, and >that's a potential security hole, at least in the "limited environment" >situation mentioned at the end of (3) above. But since this hole can >be plugged very simply and at no cost in speed, why not do so, Ross? Easy to code - murder to support! I have about 15,000 registered users. They call me with the slightest problem - as they should, and as they're entitled to. If they ask me: "Is my COMMAND.COM file infected?", I need simply ask them what the checksum is. From that I know the answer. If I used some method to generate unique checksums for each user, I'd still have to have some means to get back to the "real" checksum. If I could do that, so could a bad guy, rendering inconvienence only to the bad guy, and potentially to thousands of users (I average about 50 tech support calls per day on a $14 product!) Please understand that I certainly can appreciate the limitations of using a less sophisticated algorithm within my code as versus something wonderfully complex. But, as with any security product, I had to weigh off security versus convienience considerations. I like to think I did an ok job of it: those in doubt need simply use *any* other checksumming type program in combination with my own to see if I'm right! Ross M. Greenberg Author, FLU_SHOT+ ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253