Subject: VIRUS-L Digest V3 #105 From: VIRUS-L@IBM1.CC.Lehigh.EDU VIRUS-L Digest Friday, 1 Jun 1990 Volume 3 : Issue 105 Today's Topics: getting a list of all LISTSERV groups Mac virus alert vendor product (forwarded) (Mac) Re: File tranfser of software--A way to curb commercial infections? Re: Military Viruses write-protection viruses Legal aid for hackers? help against virus needed (PC) Re: Does write-protection work? ...for Mac VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 31 May 90 13:30:52 -0500 From: "Mark R. Williamson" Subject: getting a list of all LISTSERV groups On Thu, 31 May 90 13:52:08 EDT you said: >VIRUS-L Digest Thursday, 31 May 1990 Volume 3 : Issue 104 ... >I don't know whether either a GRAMMAR-L or a LATIN-L exist. The >LISTSERV@BITNIC would be a good source to check, however. Send mail >to it stating "LIST", and it will send you a *big* list of lists.] That's the _small_ list of lists handled directly by LISTSERV@BITNIC. For the *BIG* list of lists handled by _all_ LISTSERVs, send the command "LIST GLOBAL". It's >2000 lines long! Just for your information. Mark R. Williamson, Rice University, Houston, TX; MARK@RICEVM1.RICE.EDU - ------------------------- MARK@RICEVM1 on BITNET ------------------------------ Date: Thu, 31 May 90 14:22:40 -0700 From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: Mac virus alert vendor product (forwarded) (Mac) Original-From: CAH0@bunny.gte.com (Chuck Hoffman) Original-Newsgroups: comp.sys.mac,comp.sys.mac.programmer Original-Subject: ALERT about VIRUS in vendor-distributed product Original-Date: 31 May 90 18:30:43 GMT On May 25, I received the Diskworld diskette for May from Softdisk Publishing in Shreveport, Louisiana. I run Virex 2.6 (among others) which intercepted the mount of the diskette and gave me a warning that the diskette has a known strain of the WDEF virus. Naturally, I chose the "Eject" option of Virex, so the mount never was completed. WDEF is simple, but difficult. Simple in that it lives in the invisible desktop file of each disk or diskette. So it can be eliminated by rebuilding the desktop file by holding down the command and option keys during the mount (or during startup, for an internal hard disk or SCSI). Difficult for the same reason. The gurus tell us that, if you are unaware of the virus, by the time you see the diskette icon on your desktop display, ALL the other disks (including internal and attached SCSI) will already have been infected. I did a controlled experiment of my own a few months ago, and found that this was true. I called Softdisk Publishing to report my experience, and spoke with a woman who said they already knew of the virus problem. She suggested that I simply reinsert the disk while holding down the command and option keys to rebuild the desktop file, but I asked her to send me a clean copy of the diskette instead. Lesson? "Doesn't matter if the box is snazzy. Use virus detectors to protect your azzy." - -Chuck - - Chuck Hoffman, GTE Laboratories, Inc. cah0@bunny.gte.com Telephone (U.S.A.) 617-466-2131 GTE VoiceNet: 679-2131 GTE Telemail: C.HOFFMAN ------------------------------ Date: Thu, 31 May 90 11:32:14 -0500 From: gary@sci34hub.sci.com (Gary Heston) Subject: Re: File tranfser of software--A way to curb commercial infections? ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) writes: > I've always felt that networks are less likely to transmit viruses > than floppy disks because it is more likely that the culprit will be > caught. I grant that games can be played with the signatures, etc., > but chances are that some sort of log files are kept by the system > administrators about what came in, and when. Although difficult, in a > crisis there is at least some hope that the dissemination path used by > the virus can be discovered. Although not foolproof, this should act > as somewhat of a deterrent to virus writers. Due to a company policy (which I disagree with), I am not able to discuss any infections which may or may not have occurred here. Consequently, if I have any real examples, I can't cite them. Networks can propagate a virus thru several avenues, particularly if the netadmin is inexperienced and hasn't quite got file protections for network executables set correctly. If user Fred logs in to a network, works a while, and runs a infected game during lunch without rebooting (whether from a local hard drive or floppy), the virus will try to infect the next program executed via the net. If user Barney, who carefully logs off during lunch, logs back in and runs the infected program, it will try to infect Barneys' local drives as well (it should have already gotten established on Freds'). Now, we have a logfile that shows Fred, Barney, and 30 other users ran this particular piece of software, at various times during the day, and probably more than once. What points to the infection source? If there are any publicly writeable areas where users can put executables, there is an even larger gaping hole an infection can enter thru. (Users like to have these types of areas.) This can be controlled somewhat by the netadmin getting the setup correct; however, this is a somewhat optomistic hope in view of the complexity of network software and the limited training new admins get (I'm trying to learn Novell right now; the company decided nobody needs to go to seminars for anything). It's difficult to track down a security hole when the boss is asking hourly "Why isn't the network up yet?". The possibility of installing infected shrink-wrap software is also a big hazard now; people who thought they were safe by prohibiting public domain or shareware aren't. I think the biggest thing that can and must be done is education. Admins need it, users need it, and managers need it. Training users to check software before they run it, scan their drive periodically, and recognize early signs of infection is necessary. Training admins to check EVERY piece of software prior to installation, no matter how many layers of plastic it was (or wasn't) wrapped in, along with safe setups. Teaching management that this really is necessary, not just a waste of resources, and you really do need that many tapes for backups. Etc. > Floppy disks are almost untraceable since they carry *no* copy history, > *no* history of what machines they visited and almost no means of > identifying the offender. True. However, the person holding it can explain why they were running the software without checking it.... > Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP > Land Information Services or > The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb Incidentally, the stated reason for the do-not-discuss policy was to prevent stock price manipulation. I still disagree, I don't think a infection report would affect a stock price more than a few cents, if at all. I didn't win the argument, though. - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped ------------------------------ Date: Thu, 31 May 90 22:35:20 -0500 From: davidbrierley@lynx.northeastern.edu Subject: Re: Military Viruses I posted Jim Vavrina's posting regarding the Military Virus story (Virus-L Volume: 3 Issue: 93) to the RISKS forum (Volume 9 Number 92), where the matter was being discussed as well. In the following issue of RISKS (Volume: 9 Number: 93) Rory J. O'Connor of the San Jose Mercury News, the author of the article that started the discussion, posted his response to Mr. Vavrina. That response, excerpted from RISKS 9.93, follows: ------------------------------------------------------------------------ Reply-to: risks@CSL.SRI.com RISKS-LIST: RISKS-FORUM Digest Monday 21 May 1990 Volume 9 : Issue 93 ------------------------------ Date: Sun, 20 May 90 14:25:39 PDT From: rjoconnor@cdp.uucp (Rory J. O'Connor) Subject: Military Computer Virus Contract (RISKS-9.92) I'm the reporter at the San Jose Mercury News who wrote the story on the Army's SBIR proposal regarding computer viruses. I feel I must respond to the charge made by Mr. Jim Vavrina of the Army Information Systems Software Center that I mis-identified myself while researching the story. That assertion is false. At all times, as is standard practice among professional journalists, I made it clear to everyone I called or interviewed that I was a newspaper reporter working on a story about this proposal. When I reached a woman named Joyce Crisci at Ft. Monmouth, NJ, who identified herself as the project administrator, I identified myself as a reporter. When she attempted to tell me how to apply for the available funds, I felt she might have failed to understand that, so I again told her I was a reporter working on a story for my newspaper. She then answered most of my questions, but made it clear she would not discuss any technical details nor provide me with the names of the engineers who had written the project. The reason, she said, was that if such information appeared in my story, it could prejudice the bidding process. Indeed, at the conclusion of our interview, she verified the spelling of her name and gave me her (rather complicated) mailing address and requested I send her a copy of the article when it appeared in the newspaper. I'm sorry Mr. Vavrina never called me to ask my side of the story about this interview. If Mr. Vavrina thinks my story about the virus was in some way factually incorrect, or did not fully describe the Army's project or reasoning, I'd be happy to talk to him about it. I can be reached at (408) 920-5019, or at MCI Mail mailbox 361-2192, or at the San Jose Mercury News, 750 Ridder Park Drive, San Jose, CA 95190. Anyone else who would like to discuss this story, or the topic of computer viruses in general, may also contact me there. Rory J. O'Connor, Computing Editor, San Jose Mercury News ------------------------------ ------------------------------ Date: Thu, 31 May 90 21:13:27 -0400 From: simsong@next.cambridge.ma.us (Simson L. Garfinkel) Subject: write-protection viruses Write protection on the Apple II computer is done in software; on this machine a virus could overcome write-protection on a floppy disk. I once used a program that "degaused" a floppy disk in 15 seconds or so on the Apple II, even if the floppy disk was write protected. ------------------------------ Date: Fri, 01 Jun 90 08:05:30 -0400 From: NZPAM001@SIVM.BITNET Subject: Legal aid for hackers? I'm sending along the following from yesterday's Washington Post. I'd like to know Cliff Stoll's (The Cuckoo's Egg) reaction!!. The Washington Post, Business Section, May 31, 1990 By Willie Schatz Mitchell Kapor, inventor of Lotus 1-2-3, the world's most popular financial software package, is considering backing a national effort to defend computer hackers against prosecutions resulting form Operation Sun Devil, a two-year Secret Service investigation of potential computer fraud. Operation Sun Devil was disclosed early this month by the Secret Service, which conducted 27 searches of suspected hackers' homes and offices, confiscating 23,000 computer disks and 40 computer systems. There have been three arrests thus far. The Secret Service said the hackers who were the target of the probe are individuals who had gained unauthorized access to company computer systems--including one at American Telephone & Telegraph Co.--or had stolen and distributed software programs that belonged to major corporations. In an interview from the Cambridge, Mass., headquarters of his new company, ON Technology, Inc., Kapor said he thinks the government probe is misdirected. He said it is damaging technological innovation and dissemination of information through the ubiquitous electronic message networks called bulletin boards that are the hackers' prime method of communication. Kapor intends to announce tomorrow whether he will pay for all or part of the hackers' legal defense. "It's plausible that there's a witch hunt going on," Kapor said. "I'm concerned that hackers' civil liberties are being violated [by the Secret Service]. I'm concerned these kids--which is mostly what hackers are--aren't getting a fair shake in the legal system. They don't have access to legal counsel that would let them adequately defend their rights." Sources said Kapor is reviewing a proposal he received yesterday from two law firms that asks him to help finance a $200,000 hackers' legal defense fund. Lawyers involved in the matter plan to provide much of their legal work free. The proposal before Kapor also includes a program to lobby Congress to change the computer fraud law and a public education campaign about hackers. "Sun Devil gives me a funny feeling in the pit of my stomach," Kapor said. "There's an incongruence between the language of the Secret Service and the acts and attitudes of hackers. I understand and know that [hackers'] kind of mentality. You don't want to use an A-bomb to kill a fly. There has to be an appropriate response and understanding of what's at issue. I'm lacking confidence that that's there." Earlier this month, Garry J. Jenkins, assistant director of the Secret Service, said Operation Sun Devil revealed that an "alarming number of young people" exploit computers through credit card fraud, unlawful placement of free long-distance phone calls and other criminal activities. In an interview, Dale Boll, an assistant special agent in charge of the Secret Service's fraud division, defended the government probe. "We have not declared war," Boll said. "Computer crime is a serious offense, but we don't overreact. There's no tendency for overkill. We were given these laws to enforce and we're doing the best we can. We prefer to work more hardened criminals. The government didn't prosecute hackers when they were juveniles. But now they're growing up and doing more serious things." The damage form the government's aggressive law enforcement efforts, according to Kapor, is a "chilling effect" on the flow in information among computer designers and programmers. Kapor contends that if the people responsible for operating computer bulletin boards are held responsible for information posted on their boards, hackers will stop using the boards. "It's a gigantic social experiment in progress," Kapor said. If the government "cuts it off at the knees by inappropriately ruling [that the bulletin board operators are guilty of fraud], they're cutting off their own future." John Barlow, a dedicated hacker and a lyricist for The Greatful Dead band, said he already is committed to financing the hackers' cause. "I'm going to chip in to secure them legal council and so is Mitch," Barlow said from his home in Pinedale, Wyo. "I'm sure the [Secret Service's] assault is having an effect. It's turning mischievous kids into high-tech criminals. These hackers are explorers, not criminals or vandals. They're exploring a new information frontier. It's a reincarnation of what happened with the settling of the Old West, only in the computer sphere." Government officials have a different view. "Many computer hacker suspects are no longer misguided teenagers mischievously playing games with their computers in the bedroom," the Secret Service's Jenkins said. "...We will continue to investigate aggressively those crimes which threaten to disrupt our nation's business and government services." ------------------------------ Date: Fri, 01 Jun 90 17:45:17 +0700 From: GUNNAR RADONS Subject: help against virus needed (PC) hi pple, It looks as if we have been hit by a virus. As far as I could find out from the people which reported the problems to me, the normal behaviour seems to hinder programs from running properly. Programs who ran fine before suddenly don't find subroutines or other things, but will run ok after they've been restarted. Also the virus once showed the contents of the disk directory as a sub- directories which repeated on and on. A later look did not show any subdir. Also checking after rebooting didn't show any additional subdirs The same problems where reported from another institute here a few weeks ago. It might be that the virus hooks itself into some free space of the command.com, but this is a pure guess right now. If this sounds familiar to you and if you now a way to find the virus to cure the programs, please let me know. Send your comments to s46 at dhdurz1 please. ============== Bye, Gunnar Radons ------------------------------ Date: Fri, 01 Jun 90 17:58:48 +0000 From: minich@d.cs.okstate.edu (Robert Minich) Subject: Re: Does write-protection work? ...for Mac USERASSJ@LNCC.BITNET (Alberto Sulaiman Sade Junior) writes: | SOME TIMES AGO I READ THAT IS POSSIGLE A VIRUS INFECT A DISKETTE | PHISICALLY PROTECTED. I KNOW IT IS AN OLD DISCUSSION BUT IS IT REALLY | POSSIBLE ? | | [Ed. Yes, this discussion has come up a few times before. After much | heated discussion, the consensus was that (on a PC), the write | protection is implemented by hardware in the floppy disk drive | (according to the IBM Tech. Ref. schematics). At least in the case of | PCs, I urge us to consider this matter closed unless someone can come | up with conclusive proof to the contrary (i.e., send me a piece of | source code that proves it).] Let me add that all macintoshes implement write protection for floppies through a hardware mechanism. - -- | _ /| | Robert Minich | | \'o.O' | Oklahoma State University | | =(___)= | minich@a.cs.okstate.edu | | U | - Bill sez "Ackphtth" | ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 105] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253