VIRUS-L Digest Thursday, 5 Sep 1991 Volume 4 : Issue 156 Today's Topics: Infections: PC vs MAC Flash EPROM BIOS (PC) Virus Simulators Vshield not loading into high memory? (PC) Re: Norton Anti Virus (PC) McAfee question (PC) F-PROT 2.00 and MIRROR conflict (PC) Scan80 doesn't find all it could or should. (PC) scan (PC) Disassembler Info Hard Disk Locking (PC) Re: Virus Simulator available (PC) Update to Product Test -- IBM Anti-Virus Product (2.1.2) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 04 Sep 91 12:48:42 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Infections: PC vs MAC In the population that I follow the PCs outnumber the MACs by about 10-1 yet the incidence of reported infections seems about equal (in both cases this refers to viruses detected by anti-viral software that has not infected the target machine). To base any opinion on the different number of viruses on the two platforms (successful viruses are something else) is flawed because it is much easier to write a PC virus than a MAC, all of the tools necessary come with a PC and are explained. On the other hand, the internals of a MAC take some digging and are not nearly as well documented. Next, while in the PC world, programs written in 1981 are still executable on any manufacturer's 486 Tower running DOS 5.0, on the Apple side in the same time span we have the Apple III, Lisa, MAC 128. Consider that the BRAIN (still infecting a significant number of PCs) was written in 1986 and then name the 1986 Apple software packages that will still run without modification under system 7. Finally, while the $1000 PC has been around for a while, until the MAC "classic" came out, low priced MACs were not plentiful, nor was there the incredible diversity of programs available. Therefore, IMHO, the reasons for the "low" number of MAC viruses stem from differences in design philosophy that are not necessarily strengths. Personally, I do not care for GUIs but recognize the attractiveness to those who do not really want to know or care exactly what is happening. However, often I work on Unix-based systems such as an Apollo or Sun workstation (also primarilly Motorola 680x0 based but moving toward RISCs), and my question is: "How does Apple make it run so slow ?". Warmly, Padgett ------------------------------ Date: Wed, 04 Sep 91 11:15:18 -0600 >From: kev@inel.gov (Kevin Hemsley) Subject: Flash EPROM BIOS (PC) I received a catalog in the mail today from a popular mail order vendor. As I was browsing the pages dream shopping for components to build the ultimate home system, my eyes caught the following text: "The `Ugly Duckling' 486/33E includes another new technological advance - flash EPROM BIOS. The EISA flash EPROM is electrically reprogrammable ROM which allows for in-circuit reprogramming. With this new technology the end-user can upgrade the system board BIOS without disassembling the system, simply by using a floppy disk." This subject was discussed a few months ago. I just wonder who will make it to the BIOS first, the good guys or the bad guys? P.S. I didn't receive much response from a recent posting on LANs and viruses. I'm curious to know if there is a lack of interest in the subject, or a lack of experience. - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: 04 Sep 91 10:52:25 -0400 >From: barnold@watson.ibm.com Subject: Virus Simulators Fred Waller writes: > It is of great interest. It demonstrates to prospective users how easy > it is to produce false alarms using virus scanners and how deeply > unspecific and unreliable string scanning is as a general method for > detecting viruses. In fact, I'm surprised that a program similar to > Rosenthal's Virus Simulator has not emerged before. I rarely see complaints that virus scanning is a non-specific approach. Seriously, the reason that vendors use identification strings is that it is *easy*; id (or search) strings are easy to extract, easy to transmit and share, it's easy to write efficient scanners for search strings, etc. Search strings also happen to be compact (at least relative to the size of most of the viruses that they detect). Precise identification doesn't require much more space per virus, but it does require a complete analysis of each virus to be reliable. The virus needs to be mapped, the constant extents in the virus need to be determined, a degarbler functionally identical to the virus degarbler may need to be written, etc. I can speak to the IBM VIRSCAN; the detection goals are (a) minimizing the number of false positives, (b) maximizing the probability that a variant of a known virus will be detected, and (c) minimizing the number of false negatives, all while keeping performance reasonable. Notice that goal (a) conflicts with goals (b) and (c). Admittedly, we're trying to work wonders with short search strings, but this is at least partly a result of the necessity for the use of a compact virus description, due to the numbers of PC viruses in circulation (at least among collectors :). There's certainly room for improvement; search strings are a rather primitive identification mechanism. Note that Alan Solomon's Toolkit (which you don't mention) does do a verification for most of the viruses that it detects. I expect we'll see more scanners doing verification as the industry matures, and liability issues may force vendors to make their tools do a complete verification before disinfecting. Bill Arnold ------------------------------ Date: Wed, 04 Sep 91 15:32:00 -0400 >From: "Monty Hinten" Subject: Vshield not loading into high memory? (PC) dbarlow@na.novell.com (Doug Barlow) writes: >Has anyone tried to load vshield (version 3.9B80) into high memory? >I've tried MS-DOS 5.0 and Dr. DOS 5.0 and 6.0 BETA and nothing seems >to work. MS-DOS doesn't load it at all and DR. DOS just loads it into >conventional memory. According to the LOADHI utility from QEMM386 V5.13, my copy of VSHIELD V80 has a run-time size of 500k when memory checking is enabled, and a run-time size of 111k with the /NOMEM switch. The resident size on my machine (NCR PC386sx, 5.3MB RAM, DOS 5.0) is 34720. The run-time size is the minimum amount of contiguous high memory required to load the program high. In other words, while you may have a "high" region that has 35k, if you don't have the required room for the initial program load, you won't be able to load it high. I don't know about anyone else, but I certainly don't have 100k of free high memory by the time AUTOEXEC is processed. Further, I run VSHIELD with the /M and /CHKHI switches, to see if any nasties have loaded, so the loadhigh option is not available. As a side note, I have successfully loaded F-DRIVER from F-PROT, as well as VWATCH and VSAFE from CPAV, into high memory. Hope this helps. ========================================================================== Monty Hinten VOICE: (617)565-3634 Information Security Officer BITNET: RHZ@NCCIBM1 US EPA, Region I, Boston ========================================================================== ------------------------------ Date: Wed, 04 Sep 91 15:59:55 -0500 >From: sara@nstar.rn.com (Sara Gordon) Subject: Re: Norton Anti Virus (PC) I have a question (probably asked earlier but I was not here). Is NAV known for finding AIDS virus in error? I recall seeing this - -somewhere- but cannot find reference. This information would help me restore peace of mind (or utter terror) to the mind of a local sysop. Thanks for any info. - -- Sara Gordon Northern Star 8 line BBS 219-289-0287/317-251-7391 internet: sara@nstar.rn.com uucp: ..!uunet!nstar.rn.com!sara -= newsfeeds available, contact robert@towers.rn.com =- ------------------------------ Date: Wed, 04 Sep 91 21:32:29 +0000 >From: laughner@odin.cc.nd.edu (Tom Laughner) Subject: McAfee question (PC) We are currently evaluating the McAfee anti-virus program. Specifically, I know that the Norton TSR will detect infected files as they are being copied. Is there any way to get the McAfee TSR to do this? I've been testing with ver. 8.0 and had used VSHIELD and VSHIELD1. Anyone done side-by-side testing of both Norton and McAfee? What are your impressions? Tom Laughner Consultant/Analyst ------------------------------ Date: Wed, 04 Sep 91 16:11:49 +0000 >From: Fridrik Skulason Subject: F-PROT 2.00 and MIRROR conflict (PC) Several people have informed me of a conflict between VIRSTOP.EXE (a part of version 2) and MIRROR from Central Point Software. This will be corrected in version 2.01, but until then don't load both programs at the same time. - -frisk ------------------------------ Date: 05 Sep 91 11:52:02 +1000 >From: Mark Cramer Subject: Scan80 doesn't find all it could or should. (PC) A few notes on Scan v80. - ------------------------ We had someone come in the other day with a disk infected with the Keypress virus, the infected files had been renamed to .BAD. So I renamed them to .COM and scanned them, no virus. When we checked they were .EXE files, so we renamed them and guess what, scan found the keypress virus. Would someone like to pass this on to Mc.Afee before this technique for hiding virii (viruses, whatever the convention is) by renaming files gets used, if it hasn't been already. COM files will still run when renamed as .EXE and vice versa. The infection recurred on the hard drive and was eventually tracked down to one of XtGold 2's overlay files. Scan apparently doesn't scan these files correctly. The file was XTG_EDIT.XTG. +--------------------------------------+------------------------------+ | Mark G. P. Cramer. | Sig!, /\_|\ | | Operations Manager, CBE Section | Sig a sog!, / QUT>\ | | Queensland University of Technology. | Sig it loud!, ( __ | | | Australia. | Sig it strog! -- \/ | | Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v | | M.Cramer@qut.edu.au | with a cold! | +--------------------------------------+------------------------------+ ------------------------------ Date: Thu, 05 Sep 91 11:52:00 +1000 >From: ZDCBCRAMER@qut.edu.au Subject: scan (PC) A few notes on the Scan v80. - ---------------------------- We had someone come in the other day with a disk infected with the Keypress virus, the infected files had been renamed to .BAD. So I renamed them to .COM and scanned them, no virus. When we checked they were .EXE files, so we renamed them and guess what, scan found the keypress virus. Would someone like to pass this on to Mc.Afee before this technique for hiding virii (viruses, whatever the convention is) by renaming files gets used, if it hasn't been already. COM files will still run when renamed as .EXE and vice versa. The infection recurred on the hard drive and was eventually tracked down to one of XtGold 2's overlay files. Scan apparently doesn't scan these files correctly. The file was XTG_EDIT.XTG. +--------------------------------------+------------------------------+ | Mark G. P. Cramer. | Sig!, /\_|\ | | Operations Manager, CBE Section | Sig a sog!, / QUT>\ | | Queensland University of Technology. | Sig it loud!, ( __ | | | Australia. | Sig it strog! -- \/ | | Ph. 07 8642073. Fax 07 8641525. | Karen Carpenter v | | M.Cramer@qut.edu.au | with a cold! | +--------------------------------------+------------------------------+ ------------------------------ Date: Wed, 04 Sep 91 22:47:00 -0400 >From: John Mildner Subject: Disassembler Info We also use use Sorcer to supplement the DOS Debugger. ******************************************************************* John Mildner (COML) (202) 282-0738 (STU-III), (DSN) 292-0738 naval computer incident response team (NAVCIRT) Naval Electronic Systems Security Engineering Center 3801 Nebraska Ave. NW, Washington DC 20393-5270 ******************************************************************* ------------------------------ Date: Wed, 04 Sep 91 22:49:00 -0400 >From: John Mildner Subject: Hard Disk Locking (PC) This is NOT a commercial solicitation. But, after noting the recent exchanges on preventing unintentional writes to PC hard disks I thought it appropriate to share some of our efforts in this area. Many Navy users need to process sensitive data but don't want it ending up on their system's hard disk where it would be accessable to unauthorized parties. For this reason we developed the Write Protect Switch System (WPSS) for our installed base of 85,000+ PC's using ST506 compatible disk drives. (As a side benefit it also limits the spread of viruses). The WPSS contains a PC board, external five position switch, associated cables, and PROM software. WPSS protects two floppy and two hard drives by interupting the "write gate". The PROM software traps attempted writes to protected disks and flags the BIOS/DOS error routines. The PROM also contains security officer configuarable routines which can lock-out floppy boots, write protect specified files, log users, and audit their activity. Twenty-five systems are in test and production is scheduled to begin in December. US Government agencies interested in WPSS are encouraged to contact us for further information. ******************************************************************* John Mildner (COML) (202) 282-0738 (STU-III), (DSN) 292-0738 naval computer incident response team (NAVCIRT) Naval Electronic Systems Security Engineering Center 3801 Nebraska Ave. NW, Washington DC 20393-5270 ******************************************************************* ------------------------------ Date: 05 Sep 91 08:18:51 +0000 >From: frisk@rhi.hi.is (Fridrik Skulason) Subject: Re: Virus Simulator available (PC) Eric_Florack.Wbst311@xerox.com writes: >Since most anti-viral programs use the same search strings, Nonsense - "most" anti-viral products don't use the same strings. There are several products which only rely on published search strings, but they are not very secure - virus writers have access to the same search patterns and they often modify their viruses so they will not be detected by those patterns. >it's reasonable to >assume that if it can't find the simulation, an anti-viral product using >these published strings won't find the real thing, either, Yes, if it indeed uses the patterns included in the virus simulator - but how can you know if it does ? You cannot - which is another reason why the "virus simulator" is an useless program. >Ah, so now we come to the heart of the matter: You, apparently, are a proponant >of using /NON/-published strings to scan against. Yes, I am - and that is no secret. I also maintain that it is advisable to use a couple of scanners, which use different set of patterns (or a single scanner using two different sets), as it increases the chances of detecting real-world viruses. Frankly, however I don't care if my scanner detects the "simulated" viruses - but I find it extremely annoying when the author of the program claims it should. - -frisk ------------------------------ Date: Tue, 03 Sep 91 10:49:23 -0600 >From: Chris McDonald ASQNC-TWS-R-SO Subject: Update to Product Test -- IBM Anti-Virus Product (2.1.2) ******************************************************************************* PT-34 April 1991 Revised September 1991 ******************************************************************************* 1. Product Description: The IBM Anti-Virus Product is a program to detect computer viruses in the PC-DOS (MS-DOS) and OS/2 environments. This test report addresses version 2.1.2. 2. Product Acquisition: The program is available from the IBM Corporation through a variety of means. The licensing cost of the program is $35.00. IBM retains title to the scanning program but licenses its use in the United States and Puerto Rico. Updates cost $10.00. 3. Product Tester: Chris Mc Donald, Computer Systems Analyst, Information Systems Command, White Sands Missile Range, NM 88002-5506, DSN: 258-4176, DDN: cmcdonal@wsmr-emh03.army.mil or cmcdonald@wsmr-simtel20.army.mil. [Ed. The complete text of this product test is available for anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs/reviews under the filename of mcdonald.ibm.antivirus] ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 156] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253