VIRUS-L Digest Tuesday, 8 Oct 1991 Volume 4 : Issue 185 Today's Topics: Morris worms through courts RE: DEC PathWorks and Virus propagation (PC) Re: Novell Virus? (No, screen blanker) (PC) Stoned on preformatted Verbatim Disks? (PC) Re: new programs by Padgett; report (PC) HW not a virus solution Hardware protections (PC) Checking for virus at boot Help urgently needed for stoned virus (PC) "Terminal Compromise" Inter.Pact Press (615)883-6741 Hardware Re: NOVELL virus? dir2clr, virx1.8 available on urvax.urich.edu (PC) New file on risc (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: 07 Oct 91 13:23:00 -0400 >From: "zmudzinski, thomas" Subject: Morris worms through courts Copied from COMMUNICATIONS WEEK, September 23, 1991: "Morris Worms Through Courts There's a chance that the U.S. Supreme Court could hear the renowned Internet network "worm" case during its ses- sion that begins next month. An attorney for Robert T. Morris, the former graduate student convicted of unleash- ing on the Internet a rogue computer program called a worm, in June asked the Supreme Court to review a U.S. Appeals Court decision upholding charges that Morris broke a federal computer security law when he sent out his worm program. Morris maintains that he didn't mean to cause harm with his program--only to show the security holes in the Unix operating system." Tom Zmudzinski ZmudzinskiT @ IMO-UVAX.DCA.MIL Defense Information Systems Agency (703) 285-5459 From Zmudzinski's DevilNet };{> Dictionary: "ABUSER FRIENDLY (stu'pid) adj. [Masochistic] The common state of security on most computers and networks at any time." ------------------------------ Date: Mon, 07 Oct 91 11:40:20 -0600 >From: kev@inel.gov (Kevin Hemsley) Subject: RE: DEC PathWorks and Virus propagation (PC) PJM@ibma.nerc-wallingford.ac.uk (Pete Lucas) writes: > In particular, my interest is in whether a virus such as 1701 or 1704 > can 'take up residence' on a virtual-disk on the VAX/VMS system. If it > does take up residence, how would i go about removing it? One of the > networked PCs has been caught with 1701 and i need to know if the rest > of the PCs are going to get it too. Somehow, i suspect that the > subtle differences in filestore structure between DOS and VMS will > prevent such a problem; can someone confirm or deny my assumption? I have not had direct experience with PathWorks, but I can offer this opinion. The 1701, 1704 (Cascade) virus and related variants are resident file infecting viruses. Because systems like PathWorks emulate a DOS environment, the actual format of a disk is invisible to applications and viruses. (atleast for the most part) Therefore, file infecting viruses, such as Cascade, can infect files stored on your DOS partition. If you can access this partition like you would any other physical or logical drive, it is possible that this and other viruses can infect files stored on a virtual disk. Even if a virus is unable to propagate across your network, you can still store an infected file on a virtual disk. Therefore, it is my opinion that your virtual disk (or rather files stored on that disk) is not immune to virus attack, either directly or indirectly. The clean-up and protection of this type of networked environment requires a slightly different approach than standalone computers. Padgett Peterson has made a few brief postings on what is required for such an effort. I have been working on a system that I call a network virus monitor which uses concepts similar to Padget's. I hate to think about cleaning up a large, widely-infected network. It is for this reason that I am placing a high priority on network protection. - ------------------------------------------------------------------------------- Kevin Hemsley | Information & Technical Security | If you think that you have someone Idaho National Engineering Laboratory | eating out of your hand, it's a (208) 526-9322 | good idea to count your fingers! kev@inel.gov | - ------------------------------------------------------------------------------- ------------------------------ Date: 07 Oct 91 14:24:58 -0500 >From: "James H. Ford III" Subject: Re: Novell Virus? (No, screen blanker) (PC) When you load MONITOR (in Novell 386 v3.xx, not Novell 286 v2.1x), you get the monitor screen with several options. However, after 5 minutes or so, MONITOR will place the "worm" on the screen as a screen-blanking device. On a monochrome monitor, different worm segments will appear as different shades of gray. On a color screen, you will see different worm segments as different colors. As soon as you hit a key (ESC or anything else), the blanking stops and you return to the MONITOR screen. (FYI, the SMTP program Charon uses the same screen blanking "worm" figure). One interesting note: The length and speed of the "screen worm" is based on the server utilization. The higher the server utilization, the faster and longer the worm gets. Not a trojan, not a virus, just a screen blanker. Nothing to worry about. James Ford - Consultant II, Seebeck Computer Center jford@ua1vm.ua.edu, jford@risc.ua.edu The University of Alabama (in Tuscaloosa, Alabama) ------------------------------ Date: Mon, 07 Oct 91 19:55:00 +0000 >From: ac717@cleveland.Freenet.Edu (Jeffry L. Johnson) Subject: Stoned on preformatted Verbatim Disks? (PC) This is at least thirdhand information, but I am curious whether anyone else has heard this rumor: Some preformatted Verbatim floppy disks are infected with the STONED virus. I do not know what density or size of disk. - -- Jeffry L. Johnson CWRU Film Society Alumnus Tech, HLA Lab, Institute of Pathology, CWRU/UH Freenet ID: ac717 (Internet ID: ac717@cleveland.freenet.edu) CompuServe: 71117,527 ------------------------------ Date: 07 Oct 91 18:35:41 +0000 >From: jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) Subject: Re: new programs by Padgett; report (PC) HAYES@urvax.urich.edu writes: : Hi. : Now available: : NOFBOOT.ZIP : SAFEMBR.ZIP : : the new programs created by A. Padgett Paterson (and sent directly by him). : Both programs are "freeware". : [ description deleted ] : : Bug report: the program included XXencoded in virus-l 4.180 arrived : garbled; I was unable to decode it (got an "illegal character in line 3" : error message). : Any luck anyone? : : Regards, Claude I got my copy of NOFBOOT and SAFEMBR direct from Padgett Paterson. They came across with no problems. I have begun testing them and so far I like them. The only problem I have seen so far is that it is not a good idea to run SAFEMBR twice on the same system. It does not check to see if it is already installed. I am sending Padgett a full report soon. Jesse Chisholm | Disclaimer: My opinions are rarely understood, let jesse@altos86.altos.com | tel: 1-408-432-6200 | alone held, by this company. jesse@gumby.altos.com | fax: 1-408-435-8517 |----------------------------- ======== This company has officially disavowed all knowledge of my opinions. - -- ============== For a good prime, call 214-748-3647 =============== ------------------------------ Date: Mon, 07 Oct 91 14:54:27 -0700 >From: Jay Skeer Subject: HW not a virus solution >From: turtle@darkside.com (Fred Waller) > Only hardware/firmware defenses can definitively stop such software > attacks. Hardware defenses can be much *less expensive* in the long > run, and even in the short run, do not encourage the production of > ever-improved viruses and do not need to be frequently upgraded. > > Hardware defenses stop viruses. Software defenses do not. This is an appealing position, but as I pointed out to Fred (Cohen) and Len (Adelman) in class some years ago, it is not workable, or even useful. Since Fred (Waller) gives no details about the proposed hardware, I will propose my own hardware virus solution, and demonstrate its problems. If this is not what was discussed, if I somehow missed the proposal, please forgive me, and point out how your proposals avoid my criticisms. Be sure to read all the way to the end, and be sure you understand my criticisms though. Jay's Virus Proof Machine Jay's Virus Proof Machine has two disk drives a "program" disk and a "data" disk. It also had a big red switch labeled "install/run". When the switch is in the "run" mode, the computer behaves normally, with two exceptions, the "program" diskdrive is not writable, and programs can only be run from the "program" disk. Since the switch directly switches the write current wire of the "program" disk, no software is able to circumvent it and write to the "program" disk. That programs can only be run from the "program" disk is again incontravertable hardware fact (think about a "harvard" architecture machine). So, in "run" we seem to be safe from viruses -- no running program can infect any other runable program. When the switch is turned to the "install" position, the computer reboots and runs a very tiny (< 5k), very dumb program called Installation Software (IS). The IS is only capable of moving files from the "data" disk to the "program" disk, of renaming files on the "program" disk and of deleting them. It can not run any programs. Of course, the IS is stored on the "program" disk, or better yet in ROM. So it seems that in "install" mode we are also safe from viruses. (Since I am dreaming I will add that the tiny IS has been mathematically proven correct by ten different University and Commercial groups, and has been available for ten years for crackers to crunch on with an offer of $1000000 to anyone to defeat it. No one has yet.) In summary, only in "run" mode can programs (other than the dumb IS) be run, they must all come from the "program" disk, and in "run" mode the "program" disk cannot be written to. And in "install" mode only one program, proven very safe, can be run. Great! No virus is possible! Jay Wakes Up Sounds good huh? It wont work. It WILL make the life of computer users miserable, but it WONT prevent the spread of viruses. This scheme fails because it does not take into account the observation (invention?) that some bright guy (Von Neuman?) made in the 50's -- You can't tell program from data. You just can't. Where should I store my spread sheets? Either they are on the "data" disk (and thus ripe for (with?) viruses) or they are on the "program" disk. If they are on the "program" disk then they are hard to modify, and what use is a spread sheet if you can't modify it? This scheme will only stop viruses if users are willing to live without interpreters. How many interpreters do you use in a day? Command interpreters, spread sheets, text editors, and even terminal emulators all very often have (or are) interpreters. Are you ready to give up the ability to easly develop programs for those interpreters? I am not. (You might think that people would not write viruses for those weak interpreters. But you'd be wrong. I've heard of viruses infecting hypercard stacks, spread sheets, and even command interpreter scripts (In fact Fred Cohen wrote a few himself!).) Sadly, the proposed scheme doesn't even prevent viruses from spreading. Take me as an example, I work on a very advanced CASE tool which my company sells. Suppose we became infected with some very tricky virus. Our "safe" programs could be sent out, and our infection could spread to other developers and users. After all, at some point our program must exist on some "data" disk, and at that point the virus could infect the "data" before it is moved to a "program" disk. In fact, that is how we were infected, yeah thats it, its all PicoSoft's fault! Their compiler has bugs AND viruses! (You should be sure to ignore their claim that it was a previous version of our CASE tool which infected them. :->) Fred (Cohen) proved it very well, go read his thesis. The cost of eliminating viruses is very high, I doubt anyone will want to pay it. You are simply required to stop using stored program computers, or to stop bringing any (possibly infected) stored programs to your system. If you wish to use stored program computers (I do) you will have to accept the truth that ... there is no unstopable virus, and no virus proof shield. j' P.S. After an especially paranoid Philip K. Dick book, I dreamt of a CPU infected with a virus designed into it by the CAD software running on another infected CPU. The chip virus insures that a engines made to run in a certain brand of car, after a few tens of thousands of miles, stop working. But I woke up... didn't I? P.P.S. I got the idea of a computer virus from an old S.F. book. In the book they actually describe a worm (and called it that) in the phone system, but it was easy to see from the description how to write a virus, and why you might want to. I discused the idea with a friend. He and I became very excited, and went to our bosses and described it, as well as our intention to write one. Our bosses said that if we wrote one, we would be fired. Later we mentioned the idea to Fred and Len in class, and it took off. This was in 1983 or 4. Does any one know the name of that book, or of an earlyer reference to computer viruses? ------------------------------ Date: Tue, 08 Oct 91 00:06:48 +0000 >From: d89-zke@nada.kth.se (Zoltan Kelemen) Subject: Hardware protections (PC) Many PCs already have enough hardware to allow construction of a perfect protection against viruses. The only thing needed is a processor with memory protection. Unfortunately, the popular operating systems do not support memory protection. Maybe things will change if OS/2 becomes popular. Zoltan ------------------------------ Date: Tue, 08 Oct 91 01:22:16 +0000 >From: colinm@victor02.carleton.ca (Colin McFadyen) Subject: Checking for virus at boot Hi all. I apologise if this is a FAQ but I am not a regular reader of this group. Can someone recommend a virus checker to be run at boot time and let me know where to find it on the net. Many thanks, Colin McFadyen. ------------------------------ Date: Mon, 07 Oct 91 22:44:26 -0400 >From: Subject: Help urgently needed for stoned virus (PC) MY PC was stoned yesterday. After I run some game program from my friend my pc can not be booted from drive C which has DOS 5.0. It just stay on drive A with light on and go no further. If I put a disk which has a DOS system file on it in the drive A, it still doesn't work but will show a message " your PC is now stoned". But if I use DOS 4.0 to boot the PC on drive A, it works ,from there I can get into C drive. Then I run Anti-virus program, but it didn't show any virus information. What I should do ? please help. Thank you very much. ------------------------------ Date: Thu, 03 Oct 91 08:12:44 -0400 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: "Terminal Compromise" Inter.Pact Press (615)883-6741 Have just finished the novel by Winn Schwartau and it is amazing how many influential people I am hearing echo its concepts. This is an important book for the computer security industry and puts into both readable English and perspective many of the concerns that exist. This is the "Cuckoo's Egg" of 1991 without the recipe for chocolate chip cookies. The scary part is that I have seen many of the penetration techniques used. Each is very real and very possible. However, when reading the book, it must be remembered that this is a "worst case" scenario and rests on the popular premise that "Viruses are just programs, computers executed programs, therefore computers cannot differentiate between viruses and legitimate programs". While it sounds good, like the Lorenz- Fitzgerald equation often used to "prove" that you cannot exceed the speed of light, it breaks down upon examination (e.g. you only achieve the effect of infinite mass if exactly lightspeed is maintained for an infinite time - an integral taken to the limit). As a matter of fact, some interesting energy relationships derive if an object is held at lightspeed for a finite time. Meanwhile, back at the ranch: while it is true that viruses are only collections of instructions, they are instructions that do things that normally should not be done and * this * is * detectable *. As an extreme case, the DATACRIME (actually a very poor virus but mentioned several times in the book) when triggered attempts to format the disk using a special function of Interrupt 13. Since this function is ONLY used for this purpose, turning is off/flagging attempts is simple with software (DiskSecure does this at the BIOS level). Of course, the point could be made that other software can defeat software. This is true, but it is difficult for software to defeat software unless it knows exactly what and where it is. Since I have other programs that just periodically validates DiskSecure, a virus would have to target these as well and there are several variants (see my discussion of simple but multiple encryption techniques in last Spring's V-L). Now if everyone used DiskSecure, virus writers could just target it, however if MicroSoft, Norton, Mace, Central Point, Digital Research, and all the others came out with similar but different software, and AMI, Phoenix, Award, and Tandon each had a different BIOS implementation a generic virus becomes so difficult to write and would have to be so big to handle all of the cases the it would become uneconomical: this is the reason I give the concepts away. Thus while "Terminal Compromise" is an important book and should be widely read, it is equally important to remember that * there * are * practical * solutions *, we just have not been willing to demand them. For example, much is made of reading CRT display emissions from a distance. If you are truely concerned, there is a simple answer: LCD displays. In addition, I have seen TEMPEST CRT filters advertised as well. Everyone has one, Right ? The basic premise is true though: much of the nation's (and the world's) information processing capability is a risk, not because it cannot be protected, but because we have not bothered to do so. The important thing is that we do not need the NSA to help/approve, it is just a matter of doing. Padgett ------------------------------ Date: Mon, 07 Oct 91 22:54:10 -0700 >From: turtle@darkside.com (Fred Waller) Subject: Hardware Jay Skeer writes about my comments on hardware protection: > This is an appealing position, but as I pointed out to Fred > (Cohen) and Len (Adelman) in class some years ago, it is not > workable, or even useful. Since Fred (Waller) gives no details > about the proposed hardware, I will propose my own hardware > virus solution, and demonstrate its problems. -- [NOTE: Fred (Waller)'s articles did not "give details about the proposed hardware" because there was no specific hardware being proposed. The statements were general, not specific. We'll get a little more specific this time]. Jay Skeer continues: > Jay's Virus Proof Machine > ------------------------- > Jay's Virus Proof Machine has two disk drives a "program" disk and > a "data" disk. It also had a big red switch labeled "install/run". > Jay Skeer's message brought to mind a rather similar machine that Fred (Waller) once devised: Fred's Virus-Resistant Machine ------------------------------ Fred's Virus-Resistant Machine also had two disk drives, a "program" disk and a "data" disk. It, too, had a _small_ switch (not red), labeled: "Install/Run". (Notice that unlike Jay's Machine, Fred's machine was not Virus- Proof but only Virus-Resistant. Is Fred more modest in his goals than Jay...? He also added some few extra touches that Jay didn't think of, and his switch was rather smallish, and not red). --- The rest of Jay's description approaches Fred's own design fairly. In fact, the similarity is so close that Fred thinks that Jay managed to slip into a time warp and snatch Fred's ideas before they had even been conceived! (Snatching ideas before they are even conceived is a disconcerting habit which should be discouraged). There was, however, a very important difference between Jay's Virus- Proof Machine and Fred's Virus-Resistant one. This difference was that while Jay simply *imagined* such a design, and then went about demolishing his own idea (in theory), Fred went and actually *built* a machine, and didn't demolish it (even in practice). Then, while Jay was lucubrating on Fred (Cohen)'s theory, Fred (Waller) got hold of his pet viruses and tried to infect his virus-resistant machine. Quoting Jay Skeer further: > Jay Wakes Up > ------------ > Sounds good huh? It wont work. It WILL make the life of > computer users miserable, but it WONT prevent the spread of > viruses. > > This scheme fails because it does not take into account the > observation (invention?) that some bright guy (Von Neuman?) > made in the 50's -- You can't tell program from data. You > just can't. > Well, I don't know about Jay Skeer, but Fred (Waller), not being a a bright Hungarian like v.Neumann., didn't know that. He only knew that v.Neumann had proposed to store instructions and data together, intermixed in the storage medium, and that this created an ambiguity of interpretation, and allowed instructions to be self-modifying, (the so-called "bad programming" of some), and that the ambiguity could be resolved (though temporarily) when the stored element was fetched from storage and either executed or operated on. Unlike Jay, Fred (Waller) also had this silly idea that it isn't necessary to make viruses impossible in order to provide adequate defenses against them. He didn't care if they existed, as long as it was somewhere else. But, regardless of abstruse theory, Fred (W) read in his MS DOS manual that program files went under DOS extensions like .COM, .EXE, .OVR... Knowing this, he had no trouble telling them apart from .TXT, .DAT, .DOC and .WK1 files. So, unaware that his machine couldn't work, he went ahead and started testing it. (He did, however, believe that the design details of hardware protection couldn't be derived from solely symbolic considerations). As Jay Wakes Up, Fred (W) Continues Sleeping -------------------------------------------- While sleeping thus, he tried Boot infectors and he tried executable infectors. He tried stealth viruses and candid ones, viruses that self-encrypt and mutate and he tried others that do none of those things. He even intentionally allowed viruses on the `program' disk, but kept the little switch in its safe position. He had TSR viruses, and transient viruses, big ones, little ones, American, Israeli and Bulgarian, "wild" and "research" viruses, smart and dumb ones... he tried them all. In this way, while Jay decided that his machine couldn't possibly work, Fred discovered that his machine (which wasn't virus-proof, but only virus-resistant) *did* work, and extremely well. None of his favorite viruses (hundreds of them, my goodness!) succeeded in infecting it. Since he always booted from a clean disk (the safe "program" disk or a trusted diskette), he had no Boot infectors in RAM. Some of his viruses did freeze the machine but he was able to reboot without infection and kept smiling. Fred (Waller) used his word processor, and an electronic spreadsheet, which he stole from his wife. He installed a DOS shell and used a database manager. He tried his telecomm program, which has terminal- emulation facilities, and he emulated terminals. Fred created spreadsheets, letters to his friends (and to one enemy), and developed a database to organize some long-forgotten and mysterious writings of his. All this time, his test viruses were furiously banging their symbolic little heads and pushing their symbolic little bodies against the invincible hardware of his little (not red) write- protect switch. Fred compressed files and used TSRs and run DOS 5.0 and used spelling checkers; he copied data files and he erased them. In short, Fred (Waller) did all those "interpreter" things that Jay wrote about, and they had no problem interpreting whatever it is they needed to interpret. The viruses, however, seemed to have all kinds of problems getting "interpreted"... :-) Also, DOS 5.0's SETVER command was, ahh... confused at times . A minor price to pay for all the protection. So Fred decided to call SETVER a `bad program' and let Frisk's heuristic analyzer bury it. Thus, while Jay's Virus-proof Machine appeared to him not to be very virus-resistant, Fred's Virus-resistant Machine turned out to be rather virus-proof! Fred (Waller) attributes this amazing effect to a little-known characteristic of time warps, called the Retro-revengful anti-theoretical somersault. Now, Fred (Waller) is searching Fred (Cohen)'s thesis, von Neumann's works and and other writings trying to discover what he did wrong. Obviously, his machine should have failed... but didn't. Fred (Waller) is very ashamed of this. He'll try to rectify this unseemly situation, and will try to come up with a theoretically- correct, totally ineffective machine just as soon as he can. Oh, Fred (W) would be very interested in seeing a sample of any virus that could infect his machine. Perhaps Jay Skeer could provide him one? A high-voltage virus, maybe? :-) Fred (W.) turtle@darkside.com ------------------------------------------------------------------ Now, a *hardware virus*, that would be a little more difficult... ------------------------------------------------------------------ ------------------------------ Date: Tue, 08 Oct 91 08:48:34 +0700 >From: James Nash Subject: Re: NOVELL virus? This worm in MONITOR is a screen saver and not to be worried about! BTW, I've heard a few reports of MONITOR crashing a server when it's left loaded on a for a number of hours. Best to unload it each time you've finished at the console - -- James Nash, Computing Services, Coventry Polytechnic, England ccx020@uk.ac.cov.cch ------------------------------ Date: Mon, 07 Oct 91 11:07:00 -0400 >From: HAYES@urvax.urich.edu Subject: dir2clr, virx1.8 available on urvax.urich.edu (PC) 1) DIR2CLR: the file xxdecoded fine, now in [.msdos.antivirus] 2) VIRX 1.8: I fetched the file yesterday from SIMTEL20, and have it now available form the same directory. Please note that when you do a FTP from our site you'll be in the [anonymous] directory, and will have to change to [msdos.antivirus]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET) University of Richmond hayes@urvax.urich.edu (Bitnet or Internet) Richmond, VA 23173 ------------------------------ Date: Mon, 07 Oct 91 09:33:58 -0500 >From: James Ford Subject: New file on risc (PC) The file "dir2clr.zip" has been placed on risc.ua.edu (130.160.4.7) for anonymous FTP in the directory pub/ibm-antivirus. The zip file consists of 2 files: DIR2CLR.COM and DIR2CLR.C - ---------- No executive ever devotes any effort to proving himself wrong. - ---------- James Ford - Consultant II, Seebeck Computer Center The University of Alabama (in Tuscaloosa, Alabama) jford@ua1vm.ua.edu, jford@risc.ua.edu ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 185] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253