VIRUS-L Digest Monday, 8 Jan 1990 Volume 3 : Issue 6 Today's Topics: re: comment by William Hugh Murray Re: Spafford's Theorems Gatekeeper Privileges (MAC) Questioning ethics at computing sites The Amstrad virus (PC) Re: Where to Get Mac Anti-Virals Jerusalem B problem (PC) Re: Authentication/Signature/Checksum Algorithms Re: Virus Trends (and FAXes on PCs) Alternative Virus Protection (Mac) Murray's Theorems (Was Re: Spafford's Theorems) Implied Loader 'Pack' Virus (Mac) Re: Virus Trends (and FAXes on PCs) Re: Viruses Rhyme And Reason VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 04 Jan 90 23:01:00 -0500 From: "Gerry Santoro - CAC/PSU 814-863-4356" Subject: re: comment by William Hugh Murray In V3 N1 of Virus-L Digest, William Hugh Murray wrote: >2. The press speculation about the DATACRIME virus was much more >damaging than the virus. For the sake of academic argument I would dispute this. I agree that the actual damage from Datacrime (or Oct 13 or whatever) was minimal, and virtually nonexistent on our campuses, and I would also agree that there was mucho media hype. However, I really think that there was a major benefit to all of this. As Mr. Murray correctly pointed out, much more users damage their own data than are damaged by 'nasty' software. The Oct 13 scare made our users, who number in the tens of thousands, FINALLY listen to our pleadings to make backup copies of their software and data. The situation is similar to that with seat belts. Few of us are actually in an accident, but if we see one (or the effects) it may cause us to wear the belts, which *may* save our lives. In the case of the Oct 12 virus we had one grand chance to get people to listen to our message regarding making backups and preparing for the chance of disaster, whether by accident, ignorance, hardware failure or 'nasty' software. - ------------------------------------------------------------------------------- | | gerry santoro, ph.d. -- center for academic computing | | | -(*)- penn state university -- gms@psuvm.psu.edu -- gms@psuvm.bitnet -(*)- | | | standard disclaimer --> "I yam what I yam" | | - ------------------------------------------------------------------------------- ------------------------------ Date: Fri, 05 Jan 90 04:46:06 +0000 From: soup@penrij.LS.COM (John Campbell) Subject: Re: Spafford's Theorems WHMurray@DOCKMASTER.ARPA writes: > 1. The amount of damage to data and availability done by viruses to date > has been less than users do to themselves by error every day. OK, OK. True enough, though we don't often like to be reminded of this. > 4. Viruses and rumors of viruses have the potential to destroy society's > already fragile trust in our ability to get computers to do that which > we intend while avoiding unintended adverse consequences. This is the most worrying aspect of virus/trojan/worm infections. We have a population which has no intrinsic immune system which leaves itself open to such attack. Vectors now consist of communications networks (BBS and other means) as well as physical media. Since we are moving towards a networked future we will need immune systems in our computers- society (all of us) are currently subject to these terrorist acts (like the tylenol scare). Remember- any linchpin/choke point in technology, be it transportation, food delivery, water supply, communications is subject to interruption by killers. Set some of these loose in a Hospital and the virus writer is _at least_ as dangerous as the individual who slips cyanide into food and drug products. > 5. We learn from the biological analogy that viruses are self-limiting. We also learn that when the population is large enough for the entity to take advantage of, an entity will attempt to take hold. Once we had standard PC's (and Macs, Amigas, etc) we then had a "fixed" cellular mechanism to subvert. S-100 systems which lacked such standardization were not subject; even the "standard" S-100 systems did not constitute a large enough population to invite attack... > Clinically, if you catch a cold, you will either get over it, or you > will die. Epidemiologically, a virus in a limited population > will either make its hosts immune, or destroy the population. Even in > open population, a virus must have a long incubation period and slow > replication in order to be successful (that is, replicate and spread). Point taken. A virus, since it _does_ act in the system as non-invasively as possible (beyond spreading its "genetic code" wherever possible) will be fairly successful. Subtlety pays off. Of course, these viruses are much like the HIV will eventually kill the host... - -- John R. Campbell ...!uunet!lgnp1!penrij!soup (soup@penrij.LS.COM) "In /dev/null no one can hear you scream" ------------------------------ Date: Fri, 05 Jan 90 07:57:45 -0500 From: V2002A@TEMPLEVM.BITNET Subject: Gatekeeper Privileges (MAC) Hi, Before I install Gatekeeper, I was wondering if anyone knows the set of privileges required by the TextPac and PublishPac software. We are using a Dest page scanner in our public access lab. The device is configured SCSI in order to talk to the MAC II so I think I'm correct in assuming that in order to scan text and pictures the software will need to do all sorts of low level stuff. Anyone else out there with Gatekeeper and a Dest scanner installed? Andy Wing Senior Analyst Temple University School of Medicine ------------------------------ Date: Fri, 05 Jan 90 09:28:30 -0500 From: Jeff_Spitulnik@um.cc.umich.edu Subject: Questioning ethics at computing sites I write this commentary on ethical issues concerning the dissemination of information about the existence of viruses and how to get rid of them as both an employee of the University of Michigan and as a concerned member of the UM community. The following scenario describes the events leading up to my questioning the ethicality of the procedures (or more appropriately, the lack of procedures) here. Finally, I ask for comments and suggestions (e.g. how informing the public is done at your institution) with hopes that the UM policy makers are listening. I recently joined the ranks of the many computer experts employed at the University of Michigan. About 1 month after I started working here, I became familiar enough with downloading Mac files from a public file to notice that there was a new version of Disinfectant. I downloaded it and noticed the report of the WDEF virus. I checked my personal disks as well as the school owned disks in my public lab --- all were infected with the WDEF virus. I sent an e-mail message to the online_help people (most of which are student "consultants"), asking them what was to be done. It was apparent from the response, that the virus had been here such a short time (a few days?) that no one was doing anything yet. I expected a public announcement of some sort informing users that they may be infected and that they run the risk of being infected when they use the UM public facilities. No announcement was made. Furthermore, as a specialist employed to preside over a public computing facility (most of the computers are Macs), I expected to be both informed that there was a new virus as well as instructed what to do about it I heard nothing. Two weeks after the WDEF virus hit UM, most users were still not aware of it. I sent an e-mail message to my most immediate contact in the Information Technology Division expressing my concerns. "Shouldn't the public be informed," I asked. I expected a response from him and hoped that he would forward the message on to the appropriate policy makers if he was not in the position to deal with it himself. I have not received a response to my message nor have I heard any public mention of the WDEF virus. Users continue to infect the disks in my lab and be infected by the disks in my lab and, as far as I know, other public facilities at the Universtiy of Michigan. The virus persists here. What should be done to rid UM of the WDEF virus or of any virus for that matter? How does the bureaucracy at your institution handle it? I question the ethicality of a laissez-faire attitude on viruses at any institution. Jeff Spitulnik ------------------------------ Date: Fri, 05 Jan 90 12:13:27 +0000 From: frisk@rhi.hi.is (Fridrik Skulason) Subject: The Amstrad virus (PC) I mentioned the Amstrad virus in a recent posting, saying that "..it has nothing to do with Amstrad computers...". It now appears that it does. The original (unmodified) version of the virus contains an advertisement for Amstrad computers. This text was replaced by a short message to John McAfee, when the virus was first uploaded to HomeBase. The name appearing in my original note about the virus is therefore not the name of the author, but instead the name of a respected professor in Portugal. - -frisk ------------------------------ Date: 04 Jan 90 19:04:45 +0000 From: briang@bari.Corp.Sun.COM (Brian Gordon) Subject: Re: Where to Get Mac Anti-Virals XRJDM@SCFVM.BITNET (Joe McMahon) writes: >Hi, Mike. > >We've set up an automatic distribution service here at Goddard. You >can sign up by sending mail containing the following text to >listserv@scfvm.gsfc.nasa.gov: > [...] Assuming this is available to those of us on usenet, not just bitnet, can you post a path to "scfvm.gsfc.nasa.gov"? It doesn't appear to be findable from my maps. Thanks. [Ed. I believe that ...!uunet!scfvm.gsfc.nasa.gov would do the trick.] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Brian G. Gordon briang@Corp.Sun.COM (if you trust exotic mailers) | | ...!sun!briangordon (if you route it yourself) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------------------------------ Date: Fri, 05 Jan 90 18:24:23 +0000 From: 861087a@aucs.UUCP (Andreas Pikoulas) Subject: Jerusalem B problem (PC) Can someone tell me how do I get rid of the Jerusalem B virus without getting rid of the infected program too? I remember someone told me that i have to edit some specific sectors of the disk in order to deactivate the virus. Thanks in advance A n d r e a s Andreas Pikoulas| UUCP :{uunet|watmath|utai|garfield}!cs.dal.ca!aucs!861087a TOWER 410 | E-MAIL : 861087a@AcadiaU.CA WOLFVILLE-NS | Phone(voice) : (902) 542-5623 CANADA B0P 1X0 | ------- IF YOU CAN'T CONVINCE THEM, CONFUSE THEM. -------- ------------------------------ Date: 05 Jan 90 17:26:20 +0000 From: well!rsa@lll-crg.llnl.gov (RSA Data Security) Subject: Re: Authentication/Signature/Checksum Algorithms In response to Y. Radai's post: To protect against viruses, the best protection can be obtained by using a fast hashing algorithm together with an assymetric cryptosystem (like RSA). This is also by far the most cost-effective (based on compute-time) approach. A good "message digest" should be a one-way function: it should be impossible to invert the digest and it should be computationally infeasible to find two useful messages producing the same digest in any reasonable amount of time. The algorithm must read every bit of the message. Therefore, the best one is the fastest one deemed to be secure. This should not be left to individual users to develop as Jeunemann and Coppersmith, among others, have shown that this is not a trivial undertaking. Let's use Snefru and MD2 (Internet RFC 1113) as examples of good ones. The digest attached to a program or message should then be encrypted with the private half of a public-key pair. What is the computational cost of enhancing this process with public-key? Since RSA can be securely used with small public-key exponents such as 3 (see Internet RFC's 1113-1115 and/or CCITT X.509) a small number of multiplies is required to perform a public-key operation such as *signature verification*, where one decrypts an encrypted digest with the public key of the sender (and then compares it to a freshly computed digest). Therefore, the "added" computational cost of using RSA on an AT-type machine is approximately 80 milliseconds (raising a 512-bit number to 3 mod a 512 bit number) REGARDLESS of the size of the file being verified (the digest is fixed, and less than 512 bits, requiring one block exponentiation). Of course the 80 ms gets smaller on faster machines like Suns. I think anyone would agree that that is a fair tradeoff for signer identity verification. Since one "signs" files only once, this "cost" is irrelevant. The cost of verifying, over and over, is what is important. So what do you get for your milliseconds? You always know the source of the digest (and you get non-repudiation, providing an incentive to signers to make sure programs are clean before signing them). No one can change a program and recalculate the digest to spoof you. If schemes like this became widespread, the lack of signer identification would be a hole people would quickly exploit. You also get a secure way to *distribute* software over networks. Pretty hard to do if everyone "does their own thing". The Internet RFC's, if widely adopted, provide a perfect mechanism for this. Regardless of the hashing algorithm employed, there are powerful benefits available if RSA is used with it. And the computational cost is negligible. It may be true that simpler methods are adequate for some people. That determination requires a risk analysis, and people will make their own decisions. It has been shown, however, that if a system can be defeated, it will be. Certainly secure software distribution requires something more than an unprotected hash, since keys will presumably not be shared. This is where public-key has the most value. Using X9.9 is OK if (1) you trust DES (2) can live with its speed, and (3) don't need to distribute trusted software in a large network. X9.9 key management becomes a serious problem in a network like the Internet. It does have the advantage of being a standard, but it was developed for a relatively small community of wholesale banks, not large networks. Note aboput standards: RSA was named as a supported algorithm in the NIST/OSI Implementor's Workshop Agreements (for strong authentication, in the Directory SIG) of December 1989. Jim Bidzos RSA Data Security, Inc. ------------------------------ Date: 05 Jan 90 20:07:02 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: Virus Trends (and FAXes on PCs) ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes: >Nagle@cup.portal.com says: > >> - A FAX message is a bitstream interpreted by an interpreter at >> the receving end. Could it be induced to do something interesting >> through the use of illegal bit patterns? Group III is probably too >> simple to be attacked, but group IV? Imagine a message which >> causes a FAX machine to send an extra copy of transmitted documents >> to another location. > >Something that has come to the attention of security paranoids here >lately is that some manufacturers of PC FAX boards have added a >feature that allows the FAX modem to be used as a bisync modem to >communicate with the PC directly, rather than transmitting just FAXes. > >I assume the PC would have to be running some software to enable it >and reassign the console (requiring local intervention), but a >networked PC could then prove to be a leak onto the corporate network, >(or at least, for handy distribution of the Trojan-of-the-month program). >Added to this is the promise that at least one FAXboard vendor >promises that both async and bisync modem capability will be available >in the future. - -I would have clipped more of this but this is a complex subject that merited serious consideration unlike the infamous modem virus scare of 1988.... actually while a receiving process has to be available on the machine to be infected(i.e. either the legitimate file transfer program or a masquerading process using this as a means to load further extensions of itself)...the important point to remember here is that g-3 and g-4 fax formats are from what some of techs have told me on alt.fax are internally, modified dialects of HDLC so in this case it is possible that a sufficiently sophisticated infectious process could use this as a pipeline to load further updates to code... (i.e. new ways to defeat anti-viral nostrums) I will post ISBN numbers on the protocol definitions when they finally arrive...as to whether this is a probable scenario... who knows cheers kelly p.s. AS I dont want to cause anyone unecessary worry let me remind all once again that a receiving process HAS to be on the receiving machine if it is not the legitimate File XFER program then it is illegitimate in any case....the point that I am trying to clarify that while an infectious process could use this as a conduit to an ALREADY EXISTING infected host... unless there is a way to force execution of the received code then your virus will lay dormant(i.e.nonexecutable) because of some fax type file extension on msdos...typically something like .FAX .PIC .PCX etc....get the picture??? on *nix type systems the problems faced by the theoretical COMPUTER/FAX-MODEM infectious process are simpler in some ways but require even more cooperation from receiving processes... ------------------------------ Date: Fri, 05 Jan 90 17:12:07 -0500 From: "Chris Khoury (Sari's Son)" <3XMQGAA@CMUVM.BITNET> Subject: Alternative Virus Protection (Mac) Is there any alternative virus protection, detection init/cdev besides vaccine and gatekeeper? I need to save space on my disk, so gatekeeper is too large, but vaccine does not protect me disk from the other virus's besides Scores and nVir. Any suggestions? I would prefer that the program is shareware/PD. Chris Khoury Acknowledge-To: <3XMQGAA@CMUVM> ------------------------------ Date: 03 Jan 90 22:59:29 +0000 From: ewiles@netxdev.DHL.COM (Edwin Wiles) Subject: Murray's Theorems (Was Re: Spafford's Theorems) WHMurray@DOCKMASTER.ARPA writes: > >1. The amount of damage to data and availability done by viruses to date >has been less than users do to themselves by error every day. Granted. However, self-inflicted damage is generally recognized much sooner, and is often much easier to repair. Perhaps more time consuming, but easier because the user generally needs no special tools that he does not already have . >6. The current vector for viruses is floppy disks and diskettes, not >programs. That is to say, it is the media, rather than the programs, >that are moving and being shared. This is not entirely so. There have already been cases where programs were used as Trojan Horses to initiate viral infections. Thus, the floppy is not the only vector. True, a floppy is most often used to pass the program, but that will not always be the case. Already, services like Compu$serve are used for exchange of programs. Fortunately, the sysops (at least of the amiga groups) test uploaded software before allowing general access to it. However, such testing cannot be perfect. Consider a viral vector designed not to infect anything at all until a certain date is reached, then the virus is 'quiet' until yet another date has passed. If the vector is passed only in binary form, the chances of discovering the virus before the vector has widely spread is quite small. Especially if the date that the vector starts infecting is more than 30 days in the future. Binary only distributions are quite common, especially with the advent of shareware. The catch is, the designer must make the item sufficiently usefull/interesting to get the user to download it, and then to keep using it until the infection start date has passed. If he is able to do that, it is highly likely that the designer would get greater pleasure out of praise for the inital tool! The greater danger is a designer who modifies the binary received from some other source. Modification taking less effort than ground-up design/code/test. This would even be prefered if you wished to destroy the reputation of the original tool designer! Gack! A whole new reason for paranoia! "Who?... Me?... WHAT opinions?!?" | Edwin Wiles Schedule: (n.) An ever changing nightmare. | NetExpress, Inc. ...!{hadron,sundc,pyrdc,uunet}!netxcom!ewiles | 1953 Gallows Rd. Suite 300 ewiles@iad-nxe.global-mis.DHL.COM | Vienna, VA 22182 ------------------------------ Date: 07 Jan 90 19:46:35 +0000 From: gford%nunki.usc.edu@usc.edu (Greg Ford) Subject: Implied Loader 'Pack' Virus (Mac) Does anyone know what this is? Last night, while using SUM's Tune-up option to clean up my HD, a dialog box popped up from GateKeeper Aid saying "Gatekeeper Aid has found and removed the Implied Loader 'Pack' virus from the PIC file on the Games Disk". (Games disk being one of my partitions). When I clicked ok in the dialog box, the dialog immediately reappeared with the same message. It took about 30 clicks in the ok box for the dialog to go away (reappearing everytime). On top of all that, there is no file called PIC on my HD. Any clues? It said it removed it, so I'm not worried, but I haven't heard of this "virus". If one of you virus-basher guys need to check this virus out, I can rummage through my backup (which I had just done before) to try and find it. Greg ******************************************************************************* * Greg Ford GEnie: G.FORD3 * * University of Southern California Internet: gford%nunki.usc.edu@usc.edu * ******************************************************************************* ------------------------------ Date: 07 Jan 90 03:38:01 +0000 From: woody@rpp386.cactus.org (Woodrow Baker) Subject: Re: Virus Trends (and FAXes on PCs) Nagle@cup.portal.com says: > - A FAX message is a bitstream interpreted by an interpreter at > the receving end. Could it be induced to do something interesting > through the use of illegal bit patterns? Now that hard disks are available on Postscript printers, We have another problem.. It is concievable to embed a virus, or a trojan in a font. If the font were encrypted, it would be mighty hard to hunt the virus down. It could convievably alter fonts on the hard disk, screw up font chache images, and or plain crash the hard disk. It would, however be difficult for it to infect other systems, unless one retrieves a contaminated file and sends it to another laser printer. The potential for abuse also exists in prolouges. I have not seen or heard of one yet, but now is the time to give some thought to how to prevent them BEFORE they start getting out of hand. Cheers Woody p.s. Some of the new VIDEO cypherrs are viruses of a sort. They play with the signal to screw-up VCR's. Messing with the Automatic Gain control among other things. If some one manages to overcome them, and make a copy of the tape, the messed up signal could sort of take on viral properties, though they would not do any damage. ------------------------------ Date: 07 Jan 90 04:18:00 +0000 From: clear@actrix.co.nz (Charlie Lear) Subject: Re: Viruses Rhyme And Reason Bill.Weston@f12.n376.z1.FIDONET.ORG (Bill Weston) writes: >I'm not sure that writing viruses will ever stop. > >Ross Greenberg wrote perhaps the best psychological profile of the >"virus programmer" that I have ever read. (It's in the docs of >FLUSHOT, you've all read it...) > > The virus writer likes causing damange. He thinks it's funny and makes him >feel powerful. > To this day, tha STONED virus still infects thousands of systems all over the >world. (Poorly written as it is..) > >The target of many virus writers are the millions of PC users who don't know >much about computers. The novice user, or perhaps the user who knows how to >run programs but does not know much about DOS, is the primary mark. A friend >of mine was just such a person. Less than 20 days after buying his PC he was >hit by the STONED virus. He did not know how to protect himself. Lots of >grins for the programmer. One day, you'll actually write something you know something about, Bill... 8-) The schoolkid who wrote the Stoned virus did it on a dare from an Amiga owner who was suffering from the first effects of the SCA virus. It was believed *impossible* by the "experts" for a PC virus to be written, so he went ahead and wrote a simple, non-destructive bsv on a standard XT. Having written it, the consequences of unleashing it became a bit much to think about, so he made sure all copies were destroyed bar one which he kept at his house. Despite being under lock and key, his little brother and a couple of his friends thought it would be a huge joke to steal the disk and deliberately infect disks in a local computer store. This was fine, but after the initial laffs it proved impossible to trace ALL infected disks and the STONED epidemic was born. Since then, the programmer has lived a very cloistered, paranoic life. Huge publicity has done nothing to help his studies or his state of mind, even though his identity has not been publicly revealed. The last burst of publicity was later discovered to be a protection mechanism for the guy, although front page coverage on a capital city daily is bizarre protection. It seems that after the "blue" side in an Australian army exercise deliberately infected "red" side computers with the virus to gain military advantage, certain people in certain security organisations wished to interview the man who wrote Stoned. The press coverage allegedly stopped a kidnap attempt in its tracks - the threat of a full diplomatic incident was too much for the Aussies and they went home. Of course, I have no documentary proof of the above as anyone connected with the writing or dissemination of a virus would be stupid to write anything down. I believe I have just illustrated how an "innocent" prove-it-can-be-done scenario can turn unbelievably bad. Is it really the programmers fault that the virus does not damage 360k floppies or 20meg XT disks, and only becomes a danger when used on large capacity floppies or big hard disks? He had no access to, or knowledge of, such hardware when he wrote it... - -- Charlie "The Bear" Lear: Call The Cave BBS, 64(4)643429 157MB Online! Snail: P.O. Box 12-175, Thorndon, Wellington, New Zealand ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253