VIRUS-L Digest Tuesday, 30 Jan 1990 Volume 3 : Issue 26 Today's Topics: ATM Bankcard Security New files to MIBSRV. (PC) library virus (PC) confirmation on library disk infection (PC) Re: Innocent Until.... Public PC lab responsibility Re: Virus request Anti-virus suite Re: Signature Programs VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Mon, 29 Jan 90 21:38:20 -0500 From: David_Conrad%Wayne-MTS@um.cc.umich.edu Subject: ATM Bankcard Security Bernie Cosell writes: >Similarly, with ATM cards, the primary 'line of defense' is some >security-by-obscurity encoding on the card and a three-digit password >[which, I think, is also encoded on the card]. As I understand it, the PIN (Personal Identification Number) is not stored on the ATM card, but is retrieved by the ATM and compared with the number entered on the ATM keypad. The ATM machines are on a wide area network, and I don't know if the PIN is actually transmitted, or if the result of some algorithm applied to PIN is sent (the latter, I hope!). Also, the PIN is four digits (or at least mine is). David Conrad (David_Conrad%Wayne-MTS@um.cc.umich.edu) "If all else fails, immortality can always be assured by spectacular error." -- John Kenneth Galbraith ------------------------------ Date: Tue, 30 Jan 90 08:36:04 -0600 From: James Ford Subject: New files to MIBSRV. (PC) These files have been placed on MIBSRV.MIB.ENG.UA.EDU (130.160.20.80) for anonymous FTP. They are: SCANV57.ZIP - ViruScan 2.7V57 (update) SCANRS57.ZIP - TSR version of ViruScan (update) NETSCN57.ZIP - Network Version of ViruScan (update) CLEANP57.ZIP - Clean-Up Virus Remover (update) NETFIX10.ZIP - Equivalent to NETSCAN & CLEAN-UP (*new*) All files were downloaded directly from Homebase BBS on 1/29/90 - ---------- James Ford - JFORD1@UA1VM.BITNET, JFORD@MIBSRV.MIB.ENG.UA.EDU ------------------------------ Date: Mon, 29 Jan 90 15:31:17 -0700 From: caasi@sdsu.edu (Richard Caasi) Subject: library virus (PC) VIRUS ALERT!! Here's a message from Steve Palincsar at the GAO about a verified virus in a depository library shipment. Please note and repost this wherever it might be read earliest... Depository libraries have received notification from Regional Depositories and the U.S. Goovernment Printing Office that depository shipment #900057-p, which contains a CD ROM disk of census statistics from the census bureau and two floppy diskettes of software to access the CD disk contains a diskette (labeled "2 of 2") which is contaminated with the Jerusalem Virus. Recip- ients are urged to destroy disk "2 of 2" immediately, and are warned that the Jerusalem Virus can destroy data on their entire system. We were notified by Hugh O'Connor of the Univ. of MD REgional Library; I called him and con- firmed the authenticity of the call we'd received, and then followed up by calling Joe McLean [spelling unconfirmed], Chief of GPO's Inspection Team (202-275-1119) who also confirmed the authenticity of the report. Shipment #900057-P was mailed 1/25/90. There were no details about how replacement software would be supplied for the contaminated diskettes. Nancy Garman, Editor, ONLINE (606)331/6345 [Ed. See next message for more info.] ------------------------------ Date: Tue, 30 Jan 90 14:29:04 -0500 From: Kenneth R. van Wyk Subject: confirmation on library disk infection (PC) I phoned the folks at the GPO and confirmed that the above report is indeed true. They faxed me a copy of a letter which they're sending out to the people that they know have received the disks. Below is a (transcribed - sorry if there are typos) copy of that fax. Ken ===== Cut Here ===== Dear Depository Librarian: GPO has just been notified by the Census Bureau that one of the floppy disks just distributed by GPO with the _County and City Data Book_ CD-ROM is infected with a computer virus AND SHOULD NOT BE USED UNDER ANY CIRCUMSTANCES. The floppy disk was listed on shipping list 90-0057-P as C 3.134/2:C 83/2/988/floppy-2. The title on the floppy disk reads as follows: Bureau of the Census Elec. County & City Data Bk., 1988 U.S. Stats., Inc., 1101 King St., Suite 601, Alexandria, VA 22314 (703) 979-9699 PLEASE DESTROY THE FLOPPY DISK AS SOON AS IT IS RECEIVED. (Do NOT reformat and reuse the floppy disk.) The virus has been identified as the Jerusalum-B virus (also referred to as the Israeli virus). It infects any .COM or .EXE program on MS-DOS personal computers and increases program size by approximately 1,800 bytes. Other programs are infected when they are executed in an infected system. The Jerusalum virus can cause significant damage on an infected personal computer. It generally slows down the system and some versions destroy all data on the hard disk. .EXE files continue to grow in size until they are too large to execute. If your computer has already been infected, we recommend that, if possible, you seek assistance from a computer specialist at your institution immediately. There are special programs available for detecting and eradicating computer viruses. One may be available in your institution or from someone you know. DO NOT USE YOUR PC TO ACCESS A NETWORK OR PRODUCE FLOPPY DISKS CONTAINING .EXE OR .COM PROGRAMS FOR BY OTHER PCS. The _County and City Data Book_ CD-ROM can be used safely with the software on the other floppy disk disk distributed in that shipment ((C 134/2:C 83/2/988/floppy). If you have any questions, please call Jan Erickson at GPO (202 275-1003) or the Census Bureau Customer Service at (301 763-4100). The Census Bureau and GPO regret any problems that this may have caused. Appropriate measures will be taken to ensure that it does not happen again. ------------------------------ Date: Tue, 30 Jan 90 09:47:00 -0500 From: Subject: Re: Innocent Until.... >>As of the time of your posting, what judicial process has >>concluded with a finding of fact that he released the worm? >I wondered whether or not anyone would challenge that >assertion. > >As of the time of my posting, The New York Times had already reported >Morris had so testified. > >As of the time of the original assertion to which I responded, there >had been such a finding by formal proceedings at Cornell University. ....various other bits of evidence deleted. The issue here is whether it was appropriate to say that Mr. Morris had released the worm prior to a finding of that fact in a court of law. IMHO it is not, and that we should say that this act is alleged, until the court decides otherwise (which it recently did). According to what you read in the papers, Mr. Morris's lawyers conceded that he conducted the act of releasing the worm. However, this does not constitute a finding of fact, as you maintain. I can think of a half dozen instances where a confession to an act would be rejected by a court of law after a weighting of ALL the evidence. A confession is merely evidence in a trial, and although it obviously carries a great deal of weight, it does not, in and of itself, constitute a finding of fact. It was interesting to note how you structured your response to my concern. You listed the reasons why you felt that Mr. Morris's releasing the worm was a "finding of fact", and not alleged. In effect, you conducted your own little mini-trial; using such evidence as something you read in the New York Times. Are you claiming that you have heard ALL the evidence presented in this trial? Are you claiming to have been declared by both the prosecution and the defense to be acceptable to sit in judgment in this case? Do you have the benefit of eleven other jurors to confer with and have agree with you in your personal "finding of facts"? No. That is why we have courts of law to find fact after weighting ALL the evidence as part of an orderly process that protects all concerned (at least in theory). I do not want to assign this authority to the New York Times, nor the Judicial Boards at Cornell, nor to your or my own personal evaluation based on partial evidence. Until the time that the court completed its job and ruled on facts and guilt, I felt it was appropriate to label the charges against Mr. Morris as alleged. - --------------------- John L. Cofer COFER@UTKVX.BITNET - --------------------- All disclaimers apply ------------------------------ Date: Tue, 30 Jan 90 08:21:20 +0700 From: Chuck Martin Subject: Public PC lab responsibility What is a public lab responsibility to end users in regard to viruses? The answer is that you do the best you can. Our office Mac is available to the public for (emergency) laser printing, and we have adopted measures to prevent infection. First, the user's disk is scanned for viruses with Disinfectant. There are absolutely *NO* exceptions. If a virus is found, we offer to remove it. If that is declined, the user may receive Disinfectant 1.5 (free, of course), to clean up his/her system. Either way, we will *NOT* have anything to do with an infected disk. Some secondary protection measures include: (1) all commands are issued by our staff, not the end user. (2) Our hard drive is periodically scanned for infection. (3) Vaccine is the first init installed. I cannot say what our legal liability is, but surely any court can see that we are taking all reasonable precautions. Comments? - ------------------------------------------------------------------------------- Chuck Martin, Consultant Computer Information Center, Washington State University MARTINCH @ WSUVM1.BITNET (509) 335-0411 - ------------------------------------------------------------------------------- May you live in interesting times. - ancient Chinese curse/benison - ------------------------------------------------------------------------------- ------------------------------ Date: 30 Jan 90 18:39:47 +0000 From: eachus@aries.mitre.org (Robert I. Eachus) Subject: Re: Virus request woodb!scsmo1!don@cs.UMD.EDU writes: > Should it be illegal to own or transmit virus source (for non-security > personnel)?? No, No, No, a thousand times NO! If nothing else the discussion in this group about the theoretical impossibility of determining whether or not certain code is a virus should convince you that it is certainly immpossible in practice as well as in theory whether any source code could be intended as part of a virus. Also note that the Internet Worm could an did transmit and compile source code on the machine it was infecting. Should anyone whose machine was infected be locked up? As a (part-time) system administrator, I think it is my responsibility to track activity in this area. If new virus threatens any system for which I am responsible, I want to know that either I, or someone I trust who specializes in virus detection and elimination, can get a copy of the virus from someone who has been hit and disassemble it. It would be silly to say that I can be infected (tough luck, sorry about that) but if I try to disassemble the virus I am breaking the law. Note that there are several "non-boot block" viruses which imbed themselves in other programs. The easiest way to find them (before a special tool is developed for the particular virus) is to use a disassembler. > Also, should there be an international watchdog agency set up to > investigate such requests?? Should the CIA/FBI/FCC be involved in > cooperation with IBM/DEC/AT&T/etc.. to form a task force along with > our list's virus expert? I think that sending something to this list is probably sufficient notice to all of the existing watchdog groups. I'll let Gene Spafford answer whether the group set up in response to the Internet Worm is interested in tracking such requests. > Has anyone contacted this person's administration along with MAINE's > and BITNIC/BITNET administration? I don't know. I'm seeing this second hand, did you report it? > Right now, its up to us to report these requests and its the > responsibility of MAINE to act on requests submitted via UMNEWS. Agreed. The current state of computer networking is true anarchy. That means that we are all resonsible for our own protection. (I don't consider that a bad thing, but note that in any case nodes and subnets may have rules and organizations to enforce them. It is just at the highest level that anarchy exists.) > Can we make it illegal to have virus sources without stomping on our > constitutional rights?? What about other countries?? No. Obviously there are some countries where such laws would be constitutional. However, like gun control any such regulations would be futile, even if such laws could be enforced in a transnational environment like the net. If Robert Morris, Jr. had developed his code (from New York State) on an computer in Canada, and relased it into a European network, I think that he still might have violated the (US) federal computer abuse statues, but where would he have violated your proposed law against owning virus sources? Robert I. Eachus with STANDARD_DISCLAIMER; use STANDARD_DISCLAIMER; function MESSAGE (TEXT: in CLEVER_IDEAS) return BETTER_IDEAS is... ------------------------------ Date: 30 Jan 90 17:24:46 +0000 From: ray@philmtl.philips.ca (Ray Dunn) Subject: Anti-virus suite Please excuse if this is regularly published information.... Which among the many commercial and PD anti-virus programs would you recommend as part of a cost-almost-no-object suite of programs to protect an MSDos and OS/2 software development department against a virus appearing on the development machines, or, infinitely worse, on the product disk? Does anyone offer a continuing anti-viral update service? If you had to *guarantee* that no such product disks contained a virus, how would you go about it, other than taking measures to maintain an anti-infection clean-machine environment? Thanks. I'll summarize email replies back to this group. - -- Ray Dunn. | UUCP: ray@philmtl.philips.ca Philips Electronics Ltd. | ..!{uunet|philapd|philabs}!philmtl!ray 600 Dr Frederik Philips Blvd | TEL : (514) 744-8200 Ext : 2347 (Phonemail) St Laurent. Quebec. H4M 2S9 | FAX : (514) 744-6455 TLX : 05-824090 ------------------------------ Date: 30 Jan 90 19:06:43 +0000 From: eachus@aries.mitre.org (Robert I. Eachus) Subject: Re: Signature Programs utoday!greenber@uunet.UU.NET (Ross M. Greenberg) writes: 71435.1777@CompuServe.COM (Bob Bosen) writes: >1- The PERCENTAGE of the file that is subjected to the sophisticated >algorithm. This can sometimes be quite a small fraction of the whole >file. (The remainder of the file can be processed by an industry- >standard CRC algorithm. There are various techniques deriving from >cryptology that can be used to cause the effects of the sophisticated >algorithms to "ripple through" all the way to the final signature.) >Properly implemented, these techniques can result in a reliable, >virtually unforgeable signature that is calculated almost as quickly as a >conventional CRC. True, only if you're looking for a known pattern. Otherwise, you're guessing that your algorithm is smarter than the bad guys. Not on my machine you don't! You're gonna have to scan the whole file, every byte to tell me if there has been a change...[Lots more deleted.] What Bob Bosen is proposing is an algorithm which does scan the whole file, and does notice if any byte has been changed. His point is that most of this checking can be done with simple CRC techniques and only a small part of the file needs to be encrypted with a sophisticated algorithm. There exist such techniques, and if they are correctly implemented the effort to change the program in a way hich does not change the "final" CRC, or to calculate a new CRC result, is at least as difficult as solving the sophisticated algorithm. Even in your "hypothetical" PC/XT case,the computer can perform several instructions per each byte read from a hard disk. It is possible (and on my Amiga, I do exactly this) to use a packing program, and a loader which automatically unpacks the executable code, and have the packed code load quicker (from a fast hard disk even!) than the actual program. Saves on disk space too. A packing program which encoded source with my personal "signature" could produce pakced programs which loaded faster (including the verification) than the original program. And if done "right" the encryption key needed to create a loadable program could not be deduced from the loader. (Unless P=NP :-) Robert I. Eachus with STANDARD_DISCLAIMER; use STANDARD_DISCLAIMER; function MESSAGE (TEXT: in CLEVER_IDEAS) return BETTER_IDEAS is... ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253