VIRUS-L Digest Thursday, 1 Feb 1990 Volume 3 : Issue 29 Today's Topics: Re: Universal virus detector Removing the 4096 (PC) Re: Security and Internet Worms (Source Code) Statistical Distributions and Virus Spreading JERUSALEM B again (PC) Re: Gatekeeper veto: Normal behavior or virus attack? Re: Virus Modeling Re: 'Virus request' from Taiwan WDEF A & B hit Oregon State University Re: 4096 and 1260 Viruses (PC) WDEF in Illinois (Mac) VAX Virus request update (general) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 31 Jan 90 13:13:00 -0500 From: Leichter-Jerry@CS.YALE.EDU Subject: Re: Universal virus detector David Chess asks how my hardware timestamp forms a universal virus detector. He misses the point of my message. I wasn't trying to define a good user interface to such a system; I was only sketching out how the hardware might work. Any creation or modification of executable code on a system is either desired or undesired. You first of all have to be able to distinguish between those two possibilities. The distinction is based on the intent of the operator, so is not amenable to mathematical argument as such. While it may sometimes be difficult to decide exactly what catagory some transitions fall into, in many cases I can be definitive. In particular, there it is almost always the case that no existing executable should be modified, ever. All my existing executables can be checked by comparing their timestamps with known-correct values. Think of this as a very cheap, absolutely unforgeable checksum. More generally, any time I am certain my system is "clean" I can generate and save on a secure medium a list of all timestamps on my disk. Any time later, I can generate a new list and compare. It is then up to me to decide whether any differences that show up are legitimate - but I have the absolute assurance that I WILL get an indication of any changes. BTW, if you really want to build such hardware you can easily go further, in several ways. For example, you can add a hardware-enforced switch which when in the OFF position makes it impossible to set the "is executable" bit at all. In this mode, you can't do program development, install new executables, or even copy executable files - but you absolutely can't be infected either. The vast majority of systems could probably spend most of their time with the switch in this position. Another alternative is to add another bit, the "may create executables" bit. Only code running from a block marked with this bit may turn on the "executable" bit for another block. Normally, only the linker and an image copier would have this bit set. A virus could still be written - but it couldn't modify existing code directly, it would have to produce object code and pass it through the linker. There are certainly some fundamental issues in dealing with viruses, but most of the PRACTICAL issues are the direct result of PRACTICAL hardware and software design decisions. -- Jerry ------------------------------ Date: Tue, 30 Jan 90 15:12:09 +0200 From: "Yuval Tal (972)-8-474592" Subject: Removing the 4096 (PC) There is a very easy method to get rid of the 4096 virus (100 years). Lets say you want this virus had spread on your hard-disk and you want to remove it. Take an *INFECTED* PKZIP, PKARC or any other such thing. Compress all your files (or some of them) into one file. Erase all the compressed files from your disk and boot from a clean diskette. Now, take a *CLEAN* PKUNZIP, PKXARC or whatever and open the compressed file. That's it! How does it work??? When the virus is active in memory, and you try to read an infected file, it will only read the file until the virus (orinial file). So, what really happens here, is that the archiver compresses only the files without the virus. - -Yuval Tal +--------------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN Domain: NYYUVAL@WEIZMANN.WEIZMANN.AC.IL | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | +----------------------+---------------------------------------------------+ | Yuval Tal | Voice: +972-8-474592 (In Israel: 08-474592) | | P.O Box 1462 | BBS: +972-8-421842 * 20:00-7:00 * 2400 * N81 | | Rehovot, Israel | FidoNet: 2:403/136 (CoSysop) | +----------------------+---------------------------------------------------+ | "Always look on the bright side of life" *whistle* - Monty Phython | +--------------------------------------------------------------------------+ ------------------------------ Date: Wed, 31 Jan 90 10:10:20 +0000 From: Technician Subject: Re: Security and Internet Worms (Source Code) Having read the following: >Yes, I believe that viral source code ought to be distributed and >studied-but under controlled conditions. The universities offer the >best hope of such a controlled setting. I for one would not reccomend this site (and I strongly suspect the majority of other campus type sites) as a recipient or study site for virus/worm/Trojan, or what ever comes next, sources. Security tends to be very lax, as neither the time, money or inclination is available to change this. I would suggest a limited number of 'bonded sites' who do take security seriously (which may well include many Universities) act as co-ordinators, with the possiblilty of farming out single problems to trusted users at less secure sites. / All opinions expressed here are mine and mine alone, licences are available for those who wish to use them. / Jim Cottrell, Software Technician, Computer Science, University of Dumham. ------------------------------ Date: Wed, 31 Jan 90 13:50:45 -0500 From: "Gregory E. Gilbert" Subject: Statistical Distributions and Virus Spreading Does virus occurence subscribe to some statistical distribution? Q: Suppose there is this new virus prevention/eradication software available for free, but there is an update policy of either $25 per update (i.e. configuring for new viruses) or $100 per year for an update subscription. Should I purchase the subscription or should I buy each update? i. e. What is the probability in the next year that more than four viruses (strains, clones, etc....) will occur? Another way of asking this would be, "Is is cost effective for me to purchase the update subscription." Greg. Postal address: Gregory E. Gilbert Computer Services Division University of South Carolina Columbia, South Carolina USA 29208 (803) 777-6015 Acknowledge-To: ------------------------------ Date: Wed, 31 Jan 90 15:16:27 -0500 From: "Thomas W. Stuart" Subject: JERUSALEM B again (PC) A faculty member here at SUNY at Buffalo has been hit by the Jerusalem B virus brought in on a commercially purchased program. A blurb from the publisher/distributor suggests scanning with either "sieve" or "scan54". and eradicating with "M-Jerusalem". Are any of these programs available from a bitnet or internet accessible source? And does this advice seem sound? Please address any responses to me directly. Thanking you in advance, Thomas Stuart School of Information and Library Studies SUNY at Buffalo ------------------------------ Date: 31 Jan 90 21:23:36 +0000 From: boulder!boulder!johnsonr@ncar.UCAR.EDU (JOHNSON RICHARD J) Subject: Re: Gatekeeper veto: Normal behavior or virus attack? (Mac) swenson@pythagoras.Stanford.EDU (Norman Swenson) writes: ] I have noticed something suspiciously virus-like on my Mac II. ... ] Fearing an imminent disk crash, I backed up my hard disk to another. ] While the files were copying over, I got a veto message from Gatekeeper. ] I decided to check my disk using Disinfectant 1.5 and found that Drawover ] (part of Adobe Illustrator) was infected with nVir B. I disinfected that ] file, and all my disks then scanned clean. The veto message you got probably had nothing to do with the nVIR B infection. (However, if you'd tried to run Drawover before disinfecting it, you probably would have gotten a message about nVIR B.) ] However, whenever I try to open the Illustrator folder on the backup ] disk, I get the following veto message: 'Gatekeeper has vetoed an ] attempt by Finder to violate "Res(other)" privileges against Desktop. ] [AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe ] Separator 2.0 program. Yup. ADoBe Separator uses ADBS for it's creator signature. Sadly, the Mac OS also uses a resource called ADBS for the Apple Desktop BuS. The latter is executable code, while the signature resource isn't. GateKeeper blocks unprivileged attempts to add executable resources to file, and is obviously mistaking the totally harmless signature resource for a nasty virus. Stupid GateKeeper :-) The solution here is to simply not use applications that use resource names as their application signatures. Stupid Adobe :-) ] Why would opening a folder require adding a resource to the desktop ] file? The Finder keeps track of which icons to display for which files. To do that it stores the icons, signature resources, etc. in the DeskTop file. If the Finder discovers an unknown file in a folder, it will attempt to add that file's identifying info to the DeskTop. ] And why did Gatekeeper veto it on one disk, but not the other? I dunno. The Finder is often mysterious to the semi-initiated (like me). Perhaps an expert can take the rest of the questions? ] Norm ] swenson@isl.stanford.edu | Richard Johnson johnsonr@spot.colorado.edu | | CSC doesn't necessarily share my opinions, but is welcome to. | | Power Tower...Dual Keel...Phase One...Allison/bertha/Colleen...?... | | Space Station Freedom is Dead. Long Live Space Station Freedom! | ------------------------------ Date: Wed, 31 Jan 90 23:07:00 +0000 From: RWALLACE@vax1.tcd.ie Subject: Re: Virus Modeling Opitz@DOCKMASTER.ARPA writes: > A co-worker of mine wrote: > One way to characterize a Trojan Horse or a virus is to build > mathematical, abstract models of them. Such a model may be an > n-tuple of interrelated subjects, objects, and operations. > Thereafter, abstracted audit data and host machine > characteristics can be organized to find if all the components of > such an n-tuple are present. > > My assignment was to help with the research in attempting to come up > with such a model. Now, from what I have been reading on the Virus > forum, I am wondering if this task is even possible. > ... > Is it possible to come up with such a model? Is it possible to list > ALL of the characteristics of a virus? If so, what might these > characteristics be? If not, why not? > > David T. Opitz - NSCS I would estimate that such a program would be only slightly easier than a program to pass the Turing test. As someone pointed out, a real computer isn't a finite state machine because it includes the person operating it (well the whole universe has a finite number of states but we're getting way beyond anything of practical use). Therefore there is no universal algorithm for detecting viruses a priori. How about a non-universal algorighm that will detect a virus say 95% of the time? I don't think that's possible either. Consider possible countermeasures: The virus inspects a component of the operating system or hardware (e.g. checks if files of certain names are present, the files in question being essential components of the operating system), and uses the result to generate a 32-bit number which it then uses to decrypt a chunk of data which contains the infector code. It then executes the infector code. Even a brute-force inspect all possible execution paths approach won't work here because infection depends on things outside the program itself .. unless you're going to simulate the suspect program in a simulation of an entire machine which isn't very practical. Consider: even a good human hacker would have great difficulty finding a cunningly-hidden virus in a big program. You're going to need something pretty close to true AI. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin VMS: rwallace@vax1.tcd.ie UNIX: rwallace@unix1.tcd.ie ------------------------------ Date: Wed, 31 Jan 90 12:39:00 +0000 From: CHOOPER@acad.cut.oz (Todd Hooper) Subject: Re: 'Virus request' from Taiwan > Date: Thu, 25 Jan 90 12:08:35 -0500 > From: woodb!scsmo1!don@cs.UMD.EDU > > Should it be illegal to own or transmit virus source (for non-security > personnel)?? > A storm in a teacup I'm afraid. What possible technique could you use to make it 'illegal to own or transmit virus source'? I mean, if in the U.S. you can buy books on homemade weapons from machine guns right up to nerve gas and atomic bombs, I can't see the U.S. Government being able to successfully crack down on people swapping virus source code. It seems to be a common practice on this newsgroup/mailing list to assume guilt until shown otherwise. E.g. 'Morris is guilty writing the Internet Worm', before a verdict has been handed down. Statements such as 'Anyone who has virus source code must be a criminal' are of a similar ilk. XPUM01@prime-a.central-services.umist.ac.uk (Dr. A. Wood) writes: > If James Huang is Taiwanese, then his first and most familiar language > is likely not English but Chinese, and likely he committed no computer > ethical error but merely a language blunder, namely the common capital > offence of 'unclear use of a pronoun'! , > in the course of emptying his flamethrower down the computer link at > the unfortunate Huang, seems to imply that Huang meant "I want to > spread VAX virus". But Huang could also have intended to say "I want > to spread news about how to notice and combat VAX virus" > > - - which is what Virus-L is for!! I couldn't agree more. Get off the poor guys back! - -- Todd Hooper Computing Centre Curtin University of Technology PSImail: psi%050529452300070::CHOOPER Western Australia ACSnet : CHOOPER@acad.cut.oz Bitnet : CHOOPER%acad.curtin.edu.au%munnari.oz@cunyvm.bitnet UUCP : {enea,mcvax,uunet,ubc-cs,ukc}!munnari!acad.curtin.edu.au!CHOOPER Phone : +61 9 351 7467 (24 hour messaging system) Fax +61 9 351 2673 ------------------------------ Date: 01 Feb 90 14:46:01 +0000 From: slezakm@nyssa.cs.orst.edu (Mark R. Slezak) Subject: WDEF A & B hit Oregon State University Here at OSU we got hit with both the WDEF A & B here in our campus lab. Douglas Adams The Long Dark Tea-Time Of The Soul +-----------------------------------------------------------------------------+ : It was signed "You-know-who,"but this had been crossed out and first the : : word "Odin" and then in larger letters "Your Father" had been substituted. : : Odin never ceased to make absolutely clear his view of his son's : : intellectual accomplishments. : +-----------------------------------------------------------------------------+ Mark R. Slezak {tektronix,hp-pcd}!orstcs!nyssa.CS.ORST.EDU!slezakm ------------------------------ Date: 01 Feb 90 07:24:53 +0000 From: grinberg@bimacs.biu.ac.il (Dennis Grinberg) Subject: Re: 4096 and 1260 Viruses (PC) Alan_J_Roberts@cup.portal.com writes: >This is a forward from John McAfee: .. stuff deleted Topic is 4096 virus > We don't yet know the exact mechanisms used by this virus, but >we do know it works. No memory resident virus filter, or system virus >scanner that we are aware of is able to prevent infection from this >virus, or detect an infection after it has occurred - providing that >the virus is active. The only way, currently, that we know how to >detect this virus is to look for its code in memory. This is strange because I seem to recall SCAN55 detecting this virus on a machine that I came across. Is my memory faulty? ------------------------------ Date: Thu, 01 Feb 90 09:27:00 -0600 From: Subject: WDEF in Illinois (Mac) WDEF infections have been reported at Illinois State University. Our lab was protected with Gatekeeper Aid and Disinfectant. Other users on campus are now using similar tools.Thank you John Norstad! ------------------------------ Date: Thu, 01 Feb 90 13:51:58 -0500 From: V2002A@TEMPLEVM.BITNET Subject: VAX Virus request update (general) Hi, The following was posted to the UMNEWS VAX discussion yesterday +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Subject: viruses From: Andrew T. Robinson I'd like to stress here that anyone suggesting the distribution of a virus is opening themselves up for a world of hurt. I am locking the user who made the posting about the VAX virus. ***** Received 15:28:37 on 01/31/90, Posting # 86 ***** +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andy Wing Senior Analyst Temple University School of Medicine ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253