[1356] (558 lines) Network_Server.Daemon 06/14/90 1329.7 edt Thu VIRUS-L Subject: VIRUS-L Digest V3 #113 From: VIRUS-L@IBM1.CC.Lehigh.EDU VIRUS-L Digest Thursday, 14 Jun 1990 Volume 3 : Issue 113 Today's Topics: re: - Viruses and Solutions (PC?) Re: First jailed UK computer hacker Anti-viral philosophies Re: Hardware security Re: Hardware protection RE: Documented mainframe attacks (IBM Mainframe) Re: Possible virus (PC) need virus-l undigestifier for PC or MAC New Stoned Virus Strains and Killer Available (PC) George of the Jungle: Not to worry? (Mac) Password Standards Checking UnVirus 9.02 (PC) Is This a Virus? (PC) Re: - Virus's and Solutions VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: 12 Jun 90 12:06:04 -0400 From: "David.M.Chess" Subject: re: - Viruses and Solutions (PC?) Azim Syed : > q2. Virus lives in memory when you put system off you can't get rod > off it, It will go to clock ROM chip!! Is there any solution other > than disconnecting battery?? I've never seen such a virus, although people like to talk about the possibility. It seems very very unlikely to me; at least in IBM-supplied systems, the clock memory (battery-supplied CMOS RAM, not ROM), is very small, and is in the I/O space, not the memory space. There's nothing in the system that will execute code stored there, even if there were room for a virus. So I wouldn't worry about it too hard, myself! Of course, if you have a file that you think actually contains such a virus, I'd be very interested to see it. But rumors are only worth what they cost... DC ------------------------------ Date: Tue, 12 Jun 90 15:56:15 +0000 From: UQAK940@MVS.ULCC.AC.UK Subject: Re: First jailed UK computer hacker "The Times" of London carried the following report on Friday, 9th June 1990 Headline: Prison for "mad hacker" >A teenage computer hacker who broke into university systems and destroyed >vast amounts of material was yesterday jailed for four months. Nicholas, >Whitely now aged 21, called himself "the mad hacker" and waged his six-month >war in 1988 from a home computer in his bedroom. What purpose is served by sending Whiteley to prison for 4 months or for 1 year? He will now be locked with two other inmates in a cell designed for one person for a substantial majority of the day at one of Her Majesty's Universities of Crime. What should we expect him to do except pass on his rare skills to other felons? Why was there no Community Service Order which would have obliged him to spend all his spare time undertaking positive actions to the society which he had damaged? Once free from gaol he will have all the time in the world ... to continue hacking. Why were the prosecution denied their request for costs? Since it appears Whiteley can return to work at the Opera, a weekly decuction towards costs (although no more than a flea-bite towards the actual costs) would seem in order. I'm not sure about confiscating his computer - but I can understand the argument. On the surface it does not seem to be a brilliant day for the British judiciary. Perhaps the judge thinks that hacking has something to do with riding horses ... Ian Leitch Head of Computing Services London School of Hygiene and Tropical Medicine ------------------------------ Date: Tue, 12 Jun 90 13:39:05 -0400 From: padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) Subject: Anti-viral philosophies > Like to get some opinions on this one. If you could only get >one program for your pc/pc-xt/pc-at or clone, what would it be? This is a question that keeps coming up and while I agree that McAfee's products are the best for someone who knows what they are doing, they are not products that are suitable for environments with vast numbers of PCs and semi-educated users, rather they are ones that the technicians should use as part of their toolkits to diagnose & repair problems. There are several reasons for this: 1) Can you imagine trying to install monthly updates on 5000 PCs. If you can, where do you get funding for the diskettes/labour ? 2) These utilities require a fair amount of knowlege to use e.g. use of the /d option will erase infected files that might be copy protected/install once programs while not using /M or /A may miss some infections. 3) Indescriminant use will wipe out any hope of determining the infection vector. What I prefer is a package that resides in the background of the user's PC and reports any change to the environment with no appreciable hit to performance (SCAN can take over ten minutes to process a 40 Mb disk now and if LZEXE-type compression is used can extend this materially). Such a package should be able to check the environment that exists when invoked (to catch boot sector infectors & previous infections), should flag immediately an attempt to run an "unknown" program, maintain signatures of "approved" executables, and create an audit trail for any changes. This would require three classes of machine: 1) Restricted: can run only files currently on system. 2) Privileged: can add files to system, runs new files after authentication. 3) Development: can run new files from certain drives/directories without authentication. Not that none of this requires authentication of the user, there are many other products that will do this, rather it allows execution only of authenticated files in an authenticated system. Should a deviation occur, the event is flagged on the screen and a menu is presented depending on class. When an event occurs that indicates an unauthorized change has taken place, then is the time for a tech to come out with SCAN and other tools to determine what has happened, all the resident tool is required to do is to determine that SOMETHING unauthorized has happened. Note that no attempt is made to block any specific malicious software, rather ALL un-authenticated software is treated as suspect. Additionally, if a virus is passed, a trail is created and detection of an environmental change is flagged. It would seem that most of the advanced anti-viral researchers, being "power-users" have developed single-stage tools for their individual needs, not the for corporate/govenmental/educational environment that is better served by multi-stage tool sets. There are a few such tools available, but they are in the minority. ------------------------------ Date: Tue, 12 Jun 90 14:00:08 -0400 From: Valdis Kletnieks Subject: Re: Hardware security >There!!! In less than two minutes in your office, I can steal >confidential files off your hard drive that you THOUGHT were protected >by hardware protection. Actually, I don't lock my office.. we have those 5 foot high partitions around here. But anyhow - a moment's though shows that leaving the door *OPEN* may be more secure - if everybody EXPECTS the office to be empty and locked, nobody will check - but if it's supposed to be empty and the door open, the case of 'door open and guy kneeling in plain sight ripping open my PS/2' is pretty obvious to the other programmers walking by..... My point was: If you have enough time to get into my office and pop the covers, you could walk out with all of the following: The ethernet board, the 8514 driver board, the 8M memory board, the hard disk controller, and the 300M hard disk. Pop the boards, put them into your pocket, drive goes under your jacket. You've just walked off with all my confidential files, plus a lot of nice hardware. Decode the files at home at your leisure. Of course, if I was gonna go this far, I'd just dress like a deliveryman, bring in a dolly, put the PS/2 on it, put a cardboard box over it, and take the whole damned thing.... I repeat - if the enemy can physically walk off with it, it doesn't MATTER if there's some silly-ass battery-backup password on it - they'll have all weekend to poke at it on their workbench. >From all accounts I've heard, the major problem with PC's in public-access terminal rooms is *not* people opening them up and sabotaging them, but people figuring out how to unbolt them from the table and walking away with the whole machine... Physical security is nice - let's just make sure we're defending against the right problem... Valdis Kletnieks ------------------------------ Date: Tue, 12 Jun 90 15:01:17 -0400 From: padgett%tccslr.dnet@UVS1.orl.mmc.com (A. Padgett Peterson) Subject: Re: Hardware protection G. L Warner writes: >From: >What is the point of having hardware protection if it is so easy to defeat! The following is a posting made in reference to the "boot from floppy vs hard disk" conflict with reguard to viruses. I feel that it has use here: To me, the most secure method would be a boot from a protected floppy that initiates the checking/authentication routine before leaving the floppy (realize that I avoid hardware approaches which though better involve $$$. Floppies are cheap). The next level would use a non-DOS hard disk only accessable with a special device driver only on the floppy (multiple backups are a good idea). Seagate's DM program for formatting disks permits this and is easy to obtain. This way, even if someone booted from another floppy, the hard disk would not be accessable. Beyond this, we get into any number of encryption schemes (no Aryeh, EBCDIC is not encrytion) possible purely with software - as long as the key is kept on the boot floppy, it is difficult to extract any data even if the entire disk is stolen (and I have seen a few instances of this). About now, the subject of ROM passwords usually comes up. Unfortunately, all that I have seen (Compaq, PS/20, etc) provide some form of maintenance retrieval that negates the purpose. Some are even trivial (reversing a plug or popping a connection) for anyone with physical access. Consequently, if the disk requires physical protection, the best safeguard is removing and locking up the disk. If not, floppy-booting with software protection is enough for the job. Anything else is a compromise. ------------------------------ Date: Tue, 12 Jun 90 17:49:40 -0400 From: Arthur Gutowski Subject: RE: Documented mainframe attacks (IBM Mainframe) >From: peter@ficc.ferranti.com (Peter da Silva) > >I don't know about the others, but the XMAS was a trojan horse worm, RTMwas >a directly attacking worm, and the WANK worm was on VAX/VMS, not UNIX. > >All of these, I believe, used network utilities and mail programs to infect >hosts. I thought that the Unix worms spread similarly to the VM worms. Yes, XMAS was really a trojan worm, I wasn't careful on my wording, and I wasn't sure if they behaved like RTM or Wank. As a matter of fact, the BUL, 4PLAY, and HEADACHE were more or less XMAS clones. >From: "David F. Lambert" > >>From: Arthur Gutowski >>... >>Three, make sure your operations and tech support staff monitor things >>like (on VM) spool space filling up with a certain filename, perhaps even >>setting up filters in RSCS to reject all such files (when a confirmed report >>is received). ... > >I just saw an IBM announcement a week or two ago which mentioned free >security enhancements for RSCS. Several of these features looked >pretty useless, except for one which provides the file filter >mentioned above. That seems like a useful hunk of code to help nip >things quickly. I think we found out about it sometime around the XMAS attack because we asked IBM directly...evidently there's been enough interest to make it available. It can be useful, but care must be taken not to abuse it-- that's why I stressed "when a confirmed report of a VM worm is received." /art PS> IBM == I've Been Moved ------------------------------ Date: 12 Jun 90 23:22:33 +0000 From: rschmidt@silver.ucs.indiana.edu (roy schmidt) Subject: Re: Possible virus (PC) woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) writes: >This sounds like one of the 4.01 bugs. DON'T EVEN LET dos 4.X NEAR a >machine. It causes all kinds of strange problems. I have a long >string of friends and aquaintances who have tried it, and have had to >go back to dos 3.x for reliablity. The technical reasons for this are >many and varied, but the major culprit seems to be the 32 bit fat >table. Some of the function calls have been modified. Specificaly, >some of the older calls did not specify the contents ofthe CX register >pair. Under DOS 4.01 the CX register pair is checked for a specific >value, to enable 32 bit fat stuff. Since this was not a requirement >that CX have anything in it, some programs use it for a counter etc. >etc. These programs can crash bigtime in certain cases. DON'T USE >DOS 4.X Really, now! I've been running DOS4.01 for over a year now, without a hitch. It would be interesting to see which programs your friends have had problems with, as I have run all the major business programs and a number of games without any troubles....but this conversation belongs in another group. This fella with the strange DOS version messages, etc, seems to be in the clutches of some sort of doctored code, which is doing things he did not want done, which I believe is the name of the game for this group. THIS IS NOT A DOS BUG!!! - ----------------------------------------------------------- ^ Roy Schmidt | #include | | Indiana University | /* They are _my_ thoughts, | | Graduate School of Business | and you can't have them, < > Bloomington | so there! */ X ___________________________________________________________ X ------------------------------ Date: 12 Jun 90 18:35:35 From: "Philip H. Arny" Subject: need virus-l undigestifier for PC or MAC Hi out there -- I've been printing virus-l and putting it in a binder. This is starting to seem silly, so I think I'll download the digests, run them through an "undigester" program, and load them into a textbase. So -- Is there an undigester program sitting out there? Where could I get it? Mac or PC would be fine. Philip Arny lrc1@umnhsnve lrc1@nve.hscs.umn.edu ------------------------------ Date: Wed, 13 Jun 90 14:01:00 -1200 From: Pat Cain Subject: New Stoned Virus Strains and Killer Available (PC) Recently we have discovered a new strain of the Stoned Virus. It is not detected by programs as SCAN, VBUSTER and KILLER. We believe that this virus probably hasn't spread too far, and possibly a student created it and brought it into Victoria University. We have seen various copies of this new strain with different messages, such as: "Your PC is Stoned! - version 2" "Donald Duck is a lie" and also a blanked out message. We have produced a killer "NoStone" for this new strain that detects and removes both the new and old strains. If anyone wants a copy of this, then we can send it 'uuencoded' through e-mail and we could also upload it by ftp to a PC anti-viral site if required. - --- ::: Details ::: We have disassembled the new strain and compared it against the original strain (that also seems to have come from Wellington, NZ). * If a machine is infected with the old strain, then the new strain will not infect the machine (it has code in it to ensure this). * If a machine is infected with the new strain and it then gets infected with the old strain then there are problems: The new strain is moved by the old strain onto where the new strain had stored the Master Boot Record (MBR). When this happens, there is no copy of the MBR and the next time the machine is booted the two strains continually re-load themselves reducing the memory each time until there is no memory remaining and the machine crashes. If you don't have a backup of the MBR then you are in trouble, 'NoStone' automatically saves a copy of the MBR when it is first run and detects if the hard disk has been doubly infected, and if so recovers the partition table. For anyone who is interested in this new strain, the author has made a a commented dissasembly of the new strain and has noted the differences between the two strains. He would prefer to provide this only to people who have a valid reason for requiring it (such as those who wish to change their virus killers to check for this new strain). To contact the author Simon McAuliffe, e-mail: cs102mcs@rata.vuw.ac.nz - ----------------------------------------------------------------------------- Pat Cain, cs200cap@st1.vuw.ac.nz ------------------------------ Date: Wed, 13 Jun 90 07:16:00 -0400 From: R3B@VAX5.CIT.CORNELL.EDU Subject: George of the Jungle: Not to worry? (Mac) Quote: "Is this a standard WordPerfect Icon? The person found this document in his system folder. I have a copy on floppy if anyone would care to look at it. Your document sounds like a WP Undelete File 1 (ICN#137). Since it's a temporary File it should come and go. See the manual (p.640 in mine). - ---------------------------------- Richard Howland-Bolton Manager Publications Computing Cornell University Internet: R3B@VAX5.CIT.CORNELL.EDU Compuserve: 71041,2133 Voice: (607) 255-9455 FAX: (607) 255-5684 Etc, etc. - ---------------------------------- ------------------------------ Date: Wed, 13 Jun 90 09:12:24 -0400 From: "Chuck Sechler" Subject: Password Standards Checking Some breakins to a computer at a university in Ohio has prompted us at Ohio State to look into enforcing use of more obscure passwords on our systems. I looked around on listserv groups for a security list, but could not find one. So, I am trying these lists. Basically, we want to know if there has been any work on MVS and CMS platforms, to keep users from picking obvious passwords, like their name, password same as userid, password is a word, etc. On MVS we are working on Top Secret package, and it has some interesting capabilities for restriction, including generating random passwords, when a user if forced to change their password, but it is not ready yet. Some UNIX platforms check passwords against very large lists of restricted words(like 50000 or more). Any thoughts? Should this be on a different list? ------------------------------ Date: Wed, 13 Jun 90 16:37:14 +0300 From: Y. Radai Subject: UnVirus 9.02 (PC) Every once in awhile someone posts to this list a cry of anguish like "Help, I think we've got the XXXXXX virus! What should we do?" Well, of course every regular reader of VIRUS-L knows that one can use McAfee's SCAN and CLEAN or Skulason's F-DISINF or F-FCHK, not to men- tion various commercial programs. But sometimes there's a specific request for *freeware* (often erroneously called "public domain" soft- ware). I recently sent an archive of such software, UNVIR902.ZIP, to Keith Petersen for uploading to SIMTEL20 (directory ) and to Jim Wright for uploading to other sites. This archive contains two programs by Rakavy and Mann, the virus removal program UnVirus 9.02 and the resident program Immune 9.00. UnVirus 9.02 eradicates the: Stoned (Marijuana) 4096 (Frodo) Jerusalem (1813) Ping-Pong (Bouncing Ball) Brain (Pakistani) Vienna (648) DataCrime and several other viruses. Obviously, UnVirus 9.02 can't compete with the other programs men- tioned above in number of viruses removed, but when one takes into account the *frequency* of infections by each virus, this list ac- counts for 70% of all infections (according to the report by David Chess in Issue 90). A new version of UnVirus is being developed which will detect almost as many viruses as those programs, and will be much faster than them. Preliminary tests indicate that it's twice as fast as SCAN and seven times as fast as F-FCHK. (It's possible that F-FCHK can catch more mutations of known viruses, but that remains to be tested.) Moreover, the time required by the new UnVirus is independent of the number of viruses scanned for, so its speed relative to these other programs will increase as the number of viruses increases. Y. Radai Hebrew Univ. of Jerusalem, Israel RADAI1@HBUNOS.BITNET RADAI@HUJIVMS.BITNET ------------------------------ Date: 13 Jun 90 16:29:37 +0000 From: blombardi@x102c.ess.harris.com (Bob Lombardi 44139) Subject: Is This a Virus? (PC) I've been having a wierd problem with my 386 machine that I thought I'd see if anyone had seen before. Is this a virus? After the system has been running for a while, a bad DOS command or search for a file out of the current directory will cause the system to halt and display "All data on the selected unit will be destroyed. Proceed (Y or N)?". The message comes from the BIOS prom on the hard/ flopy controller. It thinks it wants to format the hard disk. The system is a 25 MHz clone, with motherboard by PC-Calc (I think) that uses a Chips & Technologies chipset. The hard drive is a SCSI 80 Meg Seagate ST-296N with an ST-02 controller. Everything else in the system has been changed out. The OS is DOS 4.01. We have been running 4DOS (in the evaluation period), but removing it has no effect. Booting from a floppy thought to be "clean" (virus free), with nothing in either config.sys or autoexec.bat, has no effect on the problem. We have replaced the controller card, and run with every other card in the system removed. We swapped a CGA card for the VGA card. Only the motherboard (my suspicion), the hard drive and the floppy have not been swapped out. If it is a virus, it is undoubtedly on the hard disk by now. If anyone has seen anything like this, please email to me. If interest is shown, I'll post back to this newsgroup. Thanks......Bob Bob Lombardi /-/-/ |Internet: blombardi@x102c.ess.harris.com Mail Stop 102-4826 | |phone: (407) 729-6360 Harris Corporation GASD | |Packet:WB4EHS @ (temp. out of service) P.O.B. 94000, Melbourne FL 32902 |Never mistake motion for progress. ------------------------------ Date: 13 Jun 90 16:40:40 +0000 From: shim@zip.eecs.umich.edu (Sam Shim) Subject: Re: - Virus's and Solutions D03G001@SAKSU00.BITNET writes: >I have 2 questions about viruses please can some body answer?? >q2. Virus lives in memory when you put system off you can't get rod >off it, It will go to clock ROM chip!! Is there any solution other >than disconnecting battery?? I can't answer question one but I can answer question two. I know of no virus that can reside in the clock RAM (not ROM) chip and I really really doubt that is is possble. The CMOS RAM stored is usually very small (around 64 bytes) and most of that is used for maintaining the date/time, CMOS configuration, etc... I doubt anyone can make a virus that small, and even if they could, the CMOS RAM is not executable so it would just sit there doing nothing. So it wouldn't even replicate so I doubt you can even consider it a virus. A virus might be smart enough to store some of its code in CMOS ram (like counting how often that virus has been executed), but most of its code would still have to be on your drive. And because of that, the virus can be detected and removed. Sounds like someone's giving you some bad information about viruses. ----------------------------------------------------------------------------- | Sam Shim | "I didn't do it... | | EECS Departmental Computing Organization | It wasn't me... | | University of Michigan | Nobody saw me do it... | | Ann Arbor, MI 48109 | Nobody can prove a thing..." | | internet: shim@eecs.umich.edu | - Bart Simpson | ----------------------------------------------------------------------------- ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 113] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253