VIRUS-L Digest Monday, 19 Mar 1990 Volume 3 : Issue 60 Today's Topics: Possible Virus (Mac) possible new trojan on Genie (Mac) Getting files from "anonymous FTP" Re: Virus management software Virus project - sources and information needed Re: virus symptoms (Amiga) re: viri using Hamming WDEF A at CERN (Mac) Stoned disinfection information (PC) Using PD CRC programs and Scanners on LANs (PC) CERT ADVISORY - Internet Intruder Warning VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Fri, 16 Mar 90 15:05:00 -0500 From: "Carl_A.Fassbender" Subject: Possible Virus (Mac) One of the public computer labs here is having trouble with it's system disks. For some reason, space on these disks is lost. There are no other files added to the disks and the file sizes of the orginal files have not changed. Could something be changing the number of free blocks without actually allocating them? The files that are on the system disk are: System 6.0.4 LaserWriter Finder Monitors Gatekeeper Aid 1.0.1 Sound Gatekeeper 1.1.1 StartupScreen Clipboard File Color General ImageWriter Key Layout Keyboard LaserPrep We have Gatekeeper set so that it does not use the log feature. Carl Fassbender Michigan State University ------------------------------ Date: 17 Mar 90 08:48:30 +0000 From: milano!werner@cs.utexas.edu (Werner Uhrig) Subject: possible new trojan on Genie (Mac) a rumour has reached me that a program called "Totally Safe Sex" on Genie may be a new trojan. if you download(ed) it, be most careful - my rumour says that it destroys the Finder and makes your System file grow suspiciously. if you *must* run it, do it with all hard disks disconnected, and best only with a RAMdisk ... if someone has access to Genie and would send me a copy, I'd appreciate it (no later than Monday, please. by Monday evening a Fedexed copy will have reached me) - -- - --------------------------> please send REPLIES to <------------------------ INTERNET: werner@cs.utexas.edu or: werner@rascal.ics.utexas.edu (Internet # 128.83.144.1) UUCP: ...!cs.utexas.edu!werner ------------------------------ Date: Fri, 16 Mar 90 12:25:36 +0000 From: Anthony Appleyard Subject: Getting files from "anonymous FTP" Information from "Kenneth R. van Wyk" , with thanks. Some Virus-L messages say that the rest of the message can be got (say) "by anonymous ftp from the/quick/brown/fox/jumps.over.the.lazy.dog". For the information of those not very conversant with FTP, this can be done thus:- Type your computer's command "ftp cert.sei.cmu.edu". "cert.sei.cmu.edu" is a USA email address. It should be "edu.cmu.sei.cert@uk.ac.nsfnet-relay" if typed in UK (I think). When asked for the remote username, type "anonymous". When asked for the remote password, type anything non-null. When you get your computer's FTP command's "ftp>" prompt (or equivalent), type these commands, splitting the given filename at its last '/':- cd the/quick/brown/fox get jumps.over.the.lazy.dog quit If you type the command "dir" before the command "quit", you will also get a directory-listing of filenames. If you type the command "help" before the "quit", you will get information. {A.Appleyard} (email: APPLEYARD@UK.AC.UMIST), Fri, 16 Mar 90 12:00:12 GMT ------------------------------ Date: Sat, 17 Mar 90 17:02:42 -0500 From: moncol!lagaipa@tsdiag.att.com Subject: Re: Virus management software We at Monmouth just completed our defense against the STONED virus using the VIRUSCAN and CLEAN from McAfee. It certainly simplified our efforts. Before learning of the CLEAN program we had to do a LOW level format. Now we have it built in to the startup to prevent future spreading. We found McAfee (I spoke to John) extremely helpful. Monmouth plans on supporting the SHAREWARE as soon as budget permits. Joseph A. La Gaipa , Director of Computer Services (201)571-3551 ------------------------------ Date: 17 Mar 90 15:21:57 GMT From: hsu_wh Subject: Virus project - sources and information needed I am a computer science major at the Johns Hokpins University who is planning a programming project on anti-viral utilities (genralized infection detection, to be specific). I would greatly appreciate any and ALL sources (i.e., books, periodicals, online publications, FTP sites, and papers - especially theses like Fred Cohen's) that anyone could recommend to me. The options I am exploring are: 1) A Macintosh-based virus infection detector which combines aspects of Disinfectant with a more general protection scheme which halts unauthorized interrupts from unidentified sources, including unknown potential virii. This would first be required to work on WDEF; afterwards, I would test it on post-WDEF virii as they appear. 2) The same idea, applied to the 80286/386. Advantages of using the IBM systems, besides the fact that virii are much more prevalent on them, include the availability of technical information on 286/386 assembly and interrupts. I haven't looked at Inside Macintosh very closely yet, so I am uncertain as to the relative difficulty level of programming the Macintosh toolbox. 3) (A long shot, probably not feasible). Investigation of UNIX and/or VAX system vulnerabilities, from the perspective of an infiltration device (e.g., the infamous Internet '88 worm). This would entail a study on aspects of Morris' composite creation, along with speculation concerning techniques NOT used by the worm (but which were suggested by Donn Seeley in _A Tour of the Worm_). Any suggestions are welcome; please address mailed responses to: HSU_WH@JHUVMS.HCF.JHU.EDU or HSU_WH@JHUNIX.HCF.JHU.EDU - also, please post general information which may benefit the other two prospective paper authors. Thank you. P.S. : Could someone please E-Mail me with information on subscribing to RISKS and Virus-L? Thanks again. ------------------------------ Date: Wed, 14 Mar 90 12:21:00 -0500 From: The Mad Doctor Subject: Re: virus symptoms (Amiga) >> I have a game called Hybris. After playing this for a while, the >> screen will "fuzz", what I mean is that the graphics seem to get >> confused and all I see is one big blur on the screen. I have >> tried this with two independent disks of the game (ie: I borrowed >> them from two different people). This may or may not have anything >> to do with the blanking. > >I'm not familiar with the Amiga, but it is known that some programs >that directly program the video hardware do so incorrectly, leaving >the video signal in an "undefined" or "marginal" state. This could >cause problems of the sort that you describe (by the way, this could >also lead to permanent damage of the monitor). >Acknowledge-To: I've never heard of it leaving permanent damage to the monitor; if this is what I think it is, the problem is in the sprite registers. If it's the moving graphics that are being scrambled, this is probably what's occurring. Just load up Preferences and move the screen a little to the right or left until it corrects itself. ------------------------------ Date: Sun, 18 Mar 90 11:49:17 -0500 From: Jason Ari Goldstein Subject: re: viri using Hamming Excuse me for my apparent cluelessness but could someone please tell me what people mean by Hamming? From context I think I know what ever one is talking about but a quick definition (or something) would be very helpful. Thanks in advance. Later... me - ------------------------------------------------------------- "Playing the Blues isn't supposed to make you feel better, It is supposed to make everyone else feel worse." - ------------------------------------------------------------- Over, Finished, Gone, Done, Out. (Finally) ------------------------------ Date: Sun, 18 Mar 90 18:03:21 -0500 From: XEXEO%VXLAA.decnet.CERN@CERNVAX.BITNET Subject: WDEF A at CERN (Mac) Gatekeeper detected WDEF A in a diskette of that is only used in CERN Mac's. As CERN have all its microcomputers connected, and only some of them have GATEKEEPER, and there are reserches of varius organizations that go to CERN, I would like to WARN everybody. ------------------------------ Date: 19 Mar 90 00:00:00 -0500 From: "MUSTAFA T. ALGHAZAL" Subject: Stoned disinfection information (PC) To all virus experts, One of our systems here at SAKFU00 was infected by the STONED virus. I remember that I read a note about how to remove this virus from a hard disk ,but the writer was refering to some issues of COMPUTER & SECURITY which we were not able to get. If any of you knows step by step instructions to remove that virus,He (or she) will be thankfull to send it to me directly or to the list. Mustafa ALGhazal ( DEVMTG12@SAKFU00.BITNET) Academic Services Manager King Faisal Univ. Saudi Arabia ------------------------------ Date: Mon, 19 Mar 90 10:50:21 -0500 From: Arthur Gutowski Subject: Using PD CRC programs and Scanners on LANs (PC) In Virus-L, v3.i59, Jim Molini gives an alternative to having to register many copies of shareware programs for virus detection. He suggests using a PD CRC checker (eg, FILETEST by Len Levine) to monitor program changes, and use your one registered copy of a scanner/disinfector if any changes are detected. I looked at SIMTEL20, and they have FILETEST available in directory pd: under FILETEST.ARC. Also available there is FILE-CRC, another PD CRC program; there are several others around I'm sure. We (at Wayne State) have a similar problem to the one he's addressing. We are starting an IBM token-ring LAN, with Ethernet, and will be running Novell. There will be several workstations hooked up to a server. Some will be used for a special program involving teaching kids (high school age) how to use PCs and word processors, database programs, spreadsheets, etc. Development on these machines will not be an issue. However, our Engineering department also intends to use some of the workstations as well, and they may very well do a fair amount of program development. Jim, would you suggest the same approach for a network where there may be heavy programming? I'd like to see some more discussion of this topic. I've also seen mention of PCDATA, PC Magazines PD antiviral package. I don't have any experience with it - has anybody used it and can you give some evaluation of how it works? Would this be a reasonable alternative given our situation? Thanks in advance for your suggestions, /=====\ Arthur J. Gutowski : o o : Antiviral Group / Tech Support / WSU Univ. Computing Center : : 5925 Woodward; Detroit MI 48202; PH#: (313) 577-0718 : ----- : Bitnet: AGUTOWS@WAYNEST1 Internet: AGUTOWS@WAYNEST1.BITNET \=====/ Have a day. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Better People - Better Food - and Better Beer Why move around the world When Eden was so near" - Rush "Territories" ------------------------------ Date: Mon, 19 Mar 90 15:42:52 -0500 From: "J. Paul Holbrook" Subject: CERT ADVISORY - Internet Intruder Warning CA-90:02 CERT Advisory March 19, 1990 Internet Intruder Warning - ------------------------------------------------------------------------------- There have been a number of media reports stemming from a March 19 New York Times article entitled 'Computer System Intruder Plucks Passwords and Avoids Detection.' The article referred to a program that attempts to get into computers around the Internet. At this point, the Computer Emergency Response Team Coordination Center (CERT/CC) does not have hard evidence that there is such a program. What we have seen are several persistent attempts on systems using known security vulnerabilities. All of these vulnerabilities have been previously reported. Some national news agencies have referred to a 'virus' on the Internet; the information we have now indicates that this is NOT true. What we have seen and can confirm is an intruder making persistent attempts to get into Internet systems. It is possible that a program may be discovered. However, all the techniques used in these attempts have also been used, in the past, by intruders probing systems manually. As of the morning of March 19, we know of several systems that have been broken into and several dozen more attempts made on Thursday and Friday, March 15 and 16. Systems administrators should be aware that many systems around the Internet may have these vulnerabilities, and intruders know how to exploit them. To avoid security breaches in the future, we recommend that all system administrators check for the kinds of problems noted in this message. The rest of this advisory describes problems with system configurations that we have seen intruders using. In particular, the intruders attempted to exploit problems in Berkeley BSD derived UNIX systems and have attacked DEC VMS systems. In the advisory below, points 1 through 12 deal with Unix, points 13 and 14 deal with the VMS attacks. If you have questions about a particular problem, please get in touch with your vendor. The CERT makes copies of past advisories available via anonymous FTP (see the end of this message). Administrators may wish to review these as well. We've had reports of intruders attempting to exploit the following areas: 1) Use TFTP (Trivial File Transfer Protocol) to steal password files. To test your system for this vulnerability, connect to your system using TFTP and try 'get /etc/motd'. If you can do this, anyone else can get your password file as well. To avoid this problem, disable tftpd. In conjunction with this, encourage your users to choose passwords that are difficult to guess (e.g. words that are not contained in any dictionary of words of any language; no proper nouns, including names of "famous" real or imaginary characters; no acronyms that are common to computer professionals; no simple variations of first or last names, etc.) Furthermore, inform your users not to leave any clear text username/password information in files on any system. If an intruder can get a password file, he/she will usually take it to another machine and run password guessing programs on it. These programs involve large dictionary searches and run quickly even on slow machines. The experience of many sites is that most systems that do not put any controls on the types of passwords used probably have at least one password that can be guessed. 2) Exploit accounts without passwords or known passwords (accounts with vendor supplied default passwords are favorites). Also uses finger to get account names and then tries simple passwords. Scan your password file for extra UID 0 accounts, accounts with no password, or new entries in the password file. Always change vendor supplied default passwords when you install new system software. 3) Exploit holes in sendmail. Make sure you are running the latest sendmail from your vendor. BSD 5.61 fixes all known holes that the intruder is using. 4) Exploit bugs in old versions of FTP; exploit mis-configured anonymous FTP Make sure you are running the most recent version of FTP which is the Berkeley version 4.163 of Nov. 8 1988. Check with your vendor for information on configuration upgrades. Also check your anonymous FTP configuration. It is important to follow the instructions provided with the operating system to properly configure the files available through anonymous ftp (e.g., file permissions, ownership, group, etc.). Note especially that you should not use your system's standard password file as the password file for FTP. 5) Exploit the fingerd hole used by the Morris Internet worm. Make sure you're running a recent version of finger. Numerous Berkeley BSD derived versions of UNIX were vulnerable. Some other things to check for: 6) Check user's .rhosts files and the /etc/hosts.equiv files for systems outside your domain. Make sure all hosts in these files are authorized and that the files are not world-writable. 7) Examine all the files that are run by cron and at. We've seen intruders leave back doors in files run from cron or submitted to at. These techniques can let the intruder back on the system even after you've kicked him/her off. Also, verify that all files/programs referenced (directly or indirectly) by the cron and at jobs, and the job files themselves, are not world-writable. 8) If your machine supports uucp, check the L.cmds file to see if they've added extra commands and that it is owned by root (not by uucp!) and world-readable. Also, the L.sys file should not be world-readable or world-writable. 9) Examine the /usr/lib/aliases (mail alias) file for unauthorized entries. Some alias files include an alias named 'uudecode'; if this alias exists on your system, and you are not explicitly using it, then it should be removed. 10) Look for hidden files (files that start with a period and are normally not shown by ls) with odd names and/or setuid capabilities, as these can be used to "hide" information or privileged (setuid root) programs, including /bin/sh. Names such as '.. ' (dot dot space space), '...', and .xx have been used, as have ordinary looking names such as '.mail'. Places to look include especially /tmp, /usr/tmp, and hidden directories (frequently within users' home directories). 11) Check the integrity of critical system programs such as su, login, and telnet. Use a known, good copy of the program, such as the original distribution media and compare it with the program you are running. 12) Older versions of systems often have security vulnerabilities that are well known to intruders. One of the best defenses against problems is to upgrade to the latest version of your vendor's system. VMS SYSTEM ATTACKS: 13) The intruder exploits system default passwords that have not been changed since installation. Make sure to change all default passwords when the software is installed. The intruder also guesses simple user passwords. See point 1 above for suggestions on choosing good passwords. 14) If the intruder gets into a system, often the programs loginout.exe and show.exe are modified. Check these programs against the files found in your distribution media. If you believe that your system has been compromised, contact CERT via telephone or email. J. Paul Holbrook Computer Emergency Response Team (CERT) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5). ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253