VIRUS-L Digest Friday, 8 Nov 1991 Volume 4 : Issue 214 Today's Topics: Virus Experts Hardware? How about software...? Furtivity Real User Viruses and "viruses" F-Prot 2.01 (PC) Re: PC Soft (PC) A couple questions (Mac) (Commodore) Re: Only Scan Floppies? (PC) Re: Only Scan Floppies? (general) Disk Compression (PC for now) False Alarm (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Wed, 06 Nov 91 17:56:44 -0800 >From: p1@arkham.wimsey.bc.ca (Rob Slade) Subject: Virus Experts clear@cavebbs.gen.nz (Charlie Lear) writes: > This posting is not pointing derisively at computer users who in 90% > of cases simply don't know better; it is rather bringing to your > attention the sort of people claiming to be "experts" in the field of > virus control. Oh, how true, how true. And the *egos* involved ... ! Having recently been tech support manager for KEA systems, I rather dreaded the day that I had to inform a customer that they were infected. I knew it would happen, as the product had a very distinctive error message if it became infected with a file infector. In actual fact, the one time I had to do it, the caller was very pleased to be informed of it, and eagerly asked advice on antiviral software and procedures. (I was pleasantly surprised.) I would like to add some experiences in a related field. Shortly after I opened the antiviral area on SUZY, and only yesterday from Cyberstore, I got calls from the staff relaying messages from users who stated they had become infected with a virus by using the online service. Of course, in both cases the virus was "Stoned", and in both cases I informed both the staff and the user that it was impossible unless they were a) technically competent enough to know better than to do that and b) willing participants in their own infection. (Yes, it *is* possible to transfer a BSI via BBS. But you havwe to try pretty hard.) > It's taught me a lesson. Every minute tonight during the hour and a > half it took to reformat those disks and reload the software, I told > myself, "I *MUST* remember to write protect every disk I send out, I > *MUST* remember to write protect every disk I send out, I *MUST* ..." Goodonya. Please do. As I hope my iterated refrain in the anitviral reviews has pointed out, I am appalled at the commercial software houses who still insist on sending out disks which are not only writable, but lack any write protection at all. (Yes, I realize that shareware authors do not have access to the type of disk duplication hardware that can write on "notchless" disks. i encourage all of you who do deal in shareware to write protect disks before you send them out. My real contempt is reserved for the commercials who have access to the resources, and simply can't be bothered. Or who like fancy copy protection schemes better than security for us peons.) ============= Vancouver p1@arkham.wimsey.bc.ca | "Power users think Institute for Robert_Slade@mtsg.sfu.ca | 'Your PC is now Research into CyberStore | Stoned' is part of User (Datapac 3020 8530 1030)| the DOS copyright Security Canada V7K 2G6 | line." R. Murnane ------------------------------ Date: Wed, 06 Nov 91 20:55:56 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Hardware? How about software...? Writes groot@idca.tds.philips.nl (Henk de Groot): > We have UNIX systems with a Software-switch-off function. If an > "Antiviral" package immediately activates this function the system > will be switched off and can not be infected. Is this Hardware > protection? No, because Hardware alone can not do it (it will not > switch off by itself). Is this Software protection? No software > alone can not do it (after software triggered the hardware, the > hardware will switch the system off). Fascinating. That's exactly how Mark Washburn's SECURE program works under MS DOS, only I was led to believe here that SECURE wasn't useful. Could it be that such methods, first pioneered by Ross Greenberg in FluShot, and then expanded by Washburn in SECURE, are a good way of doing things, after all? Better than string scanning? I always thought it was better, but with all the protestations here, I had more or less given it up. Should we retake the subject of SECURE, then? If it's good, then we should look at it much more carefully, even as a model for other antivirus software. Fred Waller turtle@darkside.com ---------------------------------------------------------------- "So, which way should we go: North or South?" ---------------------------------------------------------------- ------------------------------ Date: Wed, 06 Nov 91 20:46:59 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Furtivity Writes CHESS@YKTVMV.BITNET (David.M.Chess): > Anyway, I hate these "but you said that I said that you said > that I didn't understand that I didn't say that..." threads. Me too, but sometimes they help to clarify things. My original post was in response to people who said that `interpreted mode' viruses could still attack under conditions that protected executables. I replied that such `interpreted viruses' would be easier to combat; one reason I advanced for this belief was that they probably couldn't become furtive ("stealth") viruses. > I will reiterate, perhaps more clearly, and then drop the > subject (unless it comes up again!). > > There's currently no correlation between how > widespread a virus is and whether or not it is > "stealthed". No known statistical correlation, but I say we don't really know whether there is no relationship in fact. Only a few viruses are really widespread, and ONE of them IS furtive ("stealth"). It so happens that the furtive widepread virus is also the oldest virus known, so its width of spread MAY be due to time, not furtiveness. > The fact that a certain type of > virus cannot be stealthed is therefore not > particularly suggestive of how widespread > viruses of that type might become. It looked suggestive to me. The other viruses that are widespread are not furtive, true. But they are also old viruses, while most furtive ones are much newer. So, while we don't KNOW that, given equal time, the furtive viruses might not become VERY widespread or that furtiveness is not a factor in virus spread, neither do we know the reverse to be true. Besides experience with old (non-interpreted) viruses, one may rightfully use other (speculative) criteria when considering those new, yet-to-be-written, speculative interpreted viruses. And that's the kind of consideration that was being made. > There! I *think* that should be uncontroversial... *8) Sorry... seems that it still was.. a little... :-) Fred Waller ------------------------------ Date: Wed, 06 Nov 91 20:45:19 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Real User Writes CHESS@YKTVMV.BITNET (David M. Chess): > Think of it this way: more people today are protecting their > machines with software than are doing so with hardware. There > are a number of possible reasons for this, including.... I think the most obvious reason is that viruses themselves are the creature of programmers, and so are antiviruses. Since we are in a programmer's-devised environment, both attacks and defenses tend to be programmer-devised also. Of course more people are protecting their machines with software; that's what the antivirus suppliers have mainly been feeding to the public. It's the only widely-available protection against the widely-promoted threat, and the public panic, trigered by the same antivirus publishers. Shouldn't loose sight of those facts. Any "popularity" of software protection is -totally- unrelated to effectiveness. It's due to promotion, availability and distribution. People are not protecting their machines with hardware for the same reason they are not protecting them with angel-wing feathers: both are effective, but difficult to find. Most important, neither one has been getting the daily promotion to millions of users that software antiviruses get via free advertising on 60,000 BBS. That's unrelated to effectiveness. It costs nearly nothing to duplicate software, so free samples are cheap to produce. And somebody else (i.e., the BBSs) advertise and distribute them for free. That's another reason people use them, because it costs them nothing to try. They have ABSOLUTELY NO IDEA whether it's effective or not. The have absolutely NO WAY TO MEASURE whether the antivirus software is of any use whatsoever. In fact, much of the time, it's unprovable placebo. Nothing to do with effectiveness. The fact that they are using it hasn't done one thing to stop viruses from spreading. Unrelated to effectiveness, again. > An open mind doesn't require believing everything you hear! But it most certainly doesn't allow rejecting everything you don't like! > People have been *quite* candid in response to your postings; > I think that's part of what's bothering you... *8) Sure. I'm human. I don't like to be contradicted any more than the next fellow; there's no shame in admitting that. But I try to handle contradiction in a mature way, not by demeaning oponents with personal remarks, as we've seen done here (not from you, I hasten to say). > ... the strong tone of your earlier postings (on the > near-perfection of write-protect tabs and so forth). Write-protect tabs are not `near'-perfect - they ARE perfect. Totally, not just `near'; there's no software bypass of a write- protect tab. True, a write-protected disk cannot be updated. True, the inconvenience of using only write-protected disks is overwhelming. So, we have to make them a little less perfect... I never said we should just look at the write-protect tab and STOP THERE... I offered it as an illustration, a starting point. After all, I propose not Virus-Proof Machines, but only Virus-Resistant ones... remember? :-) Unfortunately, some `open minds' became noticeably nervous at this point and the conversation, instead of evolving, became derailed. Which, I suspect, is what the `open minds' may have wanted in the first place. Fred Waller turtle@darkside.com ----------------------------------------------------------------- "Oh, give me a virus-resistant machine, a virus-resistant machine..." -old folk tune, ca. 1991 ----------------------------------------------------------------- ------------------------------ Date: Wed, 06 Nov 91 20:50:02 -0800 >From: turtle@darkside.com (Fred Waller) Subject: Viruses and "viruses" Writes UH2M@DKAUNI2.BITNET (Axel Gutmann): > ...biological viruses don't neccessarily need an active host to > survive - consider tobacco-mosaic virus-crystals - The great majority of viruses do not resemble the so-called tobacco mosaic virus. Tobacco mosaic virus seems to be at the boundary between `crystallizable' protein and live organisms. In fact, because it can be `crystallized' and remain active in such form, I would tend to classify it not as a living organism, but as a chemical... "anomaly". This is not at all difficult to do (a "malchemical"...? ouch!). Most live viruses ARE highly labile. They usually cannot stay alive for any long time outside of a host, not to speak of reproducing by themselves. True, some few can survive. But ALL computer "viruses" can, and do, exist by themselves and can even be endlessly "reproduced" (copied) without any need for "hosts"! The mosaic virus is a bad example. We should keep in mind that there are many such "borderline" cases in science. At some point, it becomes difficult to distinguish between animals and vegetals, but we emphatically distinguish between the two at all other levels. I think it's bad thinking and bad practice to make emphasis on such borderline cases to draw analogies between the extremes. They are curiosities and exceptions, not rules. Analogies drawn from them will be plainly inaccurate, as is the analogy between biological viruses and computer "viruses". > The analogy that's most important in this discussion is the > similarity in the dynamics of the spreading of diseases and > virus-like-trojans. In that's the important analogy, then the differences far outweigh the similarities. Computer viruses are not independent organisms. They are the intentional product of ill-willing programmers. They do not evolve as part of a natural environment. They are grossly artificial. Their complexity is several ORDERS of MAGNITUDE smaller than that of even the simplest virus. Whereas the spread of real viruses can be studied and conclusions drawn from their study, computer "viruses" are manipulated by their authors and distributors, and their spread may have nothing at all to do with their "ability to spread", or with whether they are "stealthed" or not, or whether they infect this or that. Anytime a virus author feels that his "creature" is not spreading fast enough, he can add a dozen new ones. If the virus was unsuccessful, he can "repair" it instantly and we have a new, "evolved" (sic) "strain" (sic). In other words, viruses ARE NOT organisms, the are the PRODUCTS OF organisms. But if we are ignorant of the "seeding" mechanism, (as we are in practice) and if we are ignorant of many aspects of the "transport" mechanism (as we also are), and if "reproduction" may actually be nothing but repeated artificial "seeding", HOW can we even think of drawing parallels? Where, I ask, is the analogy between this and natural viruses? HOW can we speak of analogies? Ill-applied equations. False parallels. In my opinion, the main reason antivirus publishers (and the news editors...) are insisting on keeping the false parallel between real viruses and computer "viruses" is for its psychological effect, certainly not out of any kind of scientific necessity! Witness, for example, the lingo that has developed among those who study computer "viruses": "infection"; "to isolate" (not to copy) a "specimen" (not a file); "strains" (not revised programs); even I, myself, am caught writing about "taxonomy" as if the damn things were some kind of natural entities! The habit is pervasive, and plays to the public's imagination. And THAT is its main value, a commercial one. Also, it plays to programmers' vanity, because it allows them to feel that they are the "creators" of "living creatures", i.e., that they are gods in some way. Considering the size of some of the egos that populate this environment, THAT might very well be the main cause... :-) > I'd like to do to old STONED what we did to the smallpox-virus! Easy. A vaccination for the Stoned has existed for a long time. Several, in fact. Use it on your diskettes, and the Stoned will never attack them. :-) Fred Waller turtle@darkside.com ------------------------------ Date: Thu, 07 Nov 91 11:06:37 -0500 >From: MONAT%UOTTAWA@acadvm1.uottawa.ca Subject: F-Prot 2.01 (PC) I have some questions/wish list for F-Prot. 1. I have a lot of clients who work on their stand-alone computer for quite some time and then decide to access a network. They load virstop.exe at boot time but then at network time, the load gets rejected with an "already installed" message. Couldn't virstop.exe disable its first copy and then reload itself? (P.S.: Until this problem is resolved, I'm still loading f-driver.sys from version 1.16 at boot time, then virstop.exe at network login in). 2. What are we suppose to do with the file virstop.bin? It's exactly identical to virstop.exe and both can be loaded at boot time. 3. I would like a new f-test.exe so that I can test if virstop.exe worksa once installed in memory. There are so many ways to install TSRs nowadays and so many operating systems, that it is necessary to find out if it works. Just the fact that a program loads doesn't mean success! 4. What's the command line switch to remove virstop.exe from memory? (It's useful if you want to detach yourself from Novell without rebooting). Thank you for listening. Paul Faculty of Administration Phone: 613-564-6895/6500 Massue-Monat University of Ottawa Fax: 613-564-6518 Lab Mgr. Canada K1N 6N5 Internet: monat@acadvm1.uottawa.ca ------------------------------ Date: Thu, 07 Nov 91 11:34:15 -0500 >From: Chris Jones Subject: Re: PC Soft (PC) >Recently I heard a commercial for the Mac advertising a product called >"PC Soft" (I think...) it claims to run MSDOS software "just like the >?pc's at the office" (I don't own a mac and NEVER would). It is called SoftPC, by Insignia Software. And it *does* run ibm software, admittedly slower than the regular clock speed of the machine that it is on, but what can you expect from software emulation? As for never owning a Mac, that's too bad.. Maybe the Ibm will develope a *real* interface some day, so that you hard-core ibm users can have one too...:) > It occured to me...what if an infected program was run using such >an interface...would it infect other MSDOS software on the disk... >or would fail miserably, poosibly destroying the infected software. > > I figured that someone here would have a comment... As a matter of fact, the emulation is good enough that viruses *are* able to infect and transmit. As has been recently discussed on the INFO-MAC discussion list, ibm virus scanners are required (and work well) while running SoftPC or SoftAT. (Mac virus scanners are useless in defeating pc viruses, they just cannot recognize anything is happening..) Several people on the info-mac stated for fact that their mac had been the transfer point for a couple of ibm viruses, transmitted while running either SoftPC or SoftAT. Chris Jones CHMCHRIS@VM.UOGUELPH.CA ------------------------------ Date: Thu, 07 Nov 91 12:01:00 -0600 >From: AB5891A@ACAD.DRAKE.EDU Subject: A couple questions (Mac) (Commodore) I was reading the article about alternatives to virus protection programs. Ones that will work. Well, I use this MacIntosh SE that the school has provided me and it works nicely, but recently my roommate erased all of the anti-viral programs and thus I was prone for an attack, which occurred. An OLD virus, nVIR B, hit. No biggie, but the ANTI-virus program VIRUS DETECTIVE removed the virus resource, but didn't redirect the pointers, so I had a useless System, Finder, and Term program. I also own a Commodore 128. Strangely, over the 6 years I have had it I have never once had a single virus in it. Recently a few trojan horses appeared, but they were easy to spot. What makes the difference between the two is this, one is constantly on - going from one application to another, while the other has to constantly be shut off. On a Mac, (OR IBM for that matter) if you want to increase the ANTI-virus protection, just after EACH application shut the system off. The virus MAY still spread, but then again, it may not. Another reason why my Commodore can't be infected is that it has its DOS in ROM not in a modifyable DISK which is then loaded into RAM. Both are loaded into RAM, but on the Commodore, it cannot be changed with software. Just a thought, ParaPsykotically Yours, Tony AB5891A@Drake ------------------------------ Date: Thu, 07 Nov 91 10:01:34 -0800 >From: jesse%altos.Altos.COM@vicom.com (Jesse Chisholm AAC-RJesseD) Subject: Re: Only Scan Floppies? (PC) noelroy@morgan.ucs.mun.ca (Noel Roy) writes: : jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: : : >Question: of the various TSRs that check programs before I execute : >or copy them, do any allow me to only check those coming from a floppy? : : >Reason being a performance degradation issue. Floppies are slow : >anyway and adding the time to scan the file is a very small percentage. : >But adding the time to a hard disk access is a larger percentage : >(though I admit still small) and not really necessary as I checked : >my hard disk thoroughly at boot up time. : : Does this make sense? It takes just as long to scan a file on a : floppy as it does a file on a hard disk. In fact, it takes longer -- : precisely because file access is so slow on floppies. True, the scanning process itself takes the same amount of time. The speed difference is from the access time on the floppy drive. I have some users who do not want to know that their system is checking for viruses except when it finds one. The problem is that the time for scanning programs and file copies is noticable, if slight. At least, they tell me it is noticable. According to my users, those pesky little milliseconds add up. ;-) They are willing to accept some speed degradation from the floppy because floppies are slow anyway, and not used that often. If being a little slower on floppy access is the price of relative safety, that's OK; as long as it doesn't interfere with the user. Since they have allowed the virus protectors and checkers to test their hard disk at power up time, they are confident that the HD is clean. Whether they can actually perceive the extra time to scan programs from a hard disk load, or a network load, I don't know. But they know it is happening and they know it takes some time and they don't want to spend the time double/triple checking files they know are clean. Fortunately, the current version of VSHIELD from McAfee (for instance) has command line options to limit which drives are checked on program loads. If vendors keep adding features, I may someday have happy users. ;-) Then again, some users always want more. Jesse Chisholm | Disclaimer: My opinions are rarely understood, let jesse@altos86.altos.com | tel: 1-408-432-6200 | alone held, by this company. jesse@gumby.altos.com | fax: 1-408-435-8517 |----------------------------- ======== This company has officially disavowed all knowledge of my opinions. - -- "I'm up in the morning, before daylight; before I sleep the moon shines bright. Come a ti-yi-yippy-yippy-ay yippy-ay. Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail" ------------------------------ Date: 07 Nov 91 20:27:42 +0000 >From: jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) Subject: Re: Only Scan Floppies? (general) flaps@dgp.toronto.edu (Alan J Rosenthal) writes: : : jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: : >Reason being a performance degradation issue. Floppies are slow : >anyway and adding the time to scan the file is a very small percentage. : >But adding the time to a hard disk access is a larger percentage : >(though I admit still small) and not really necessary as I checked : >my hard disk thoroughly at boot up time. : : Is it feasible not to check files on your disk at boot time, and *only* to : check files when running them? This sort of meets the same objective. Of : course, you still have to scan boot sectors, etc, upon boot, but not every : file on the disk. It is a question of perception rather than actual effeciency. I 1 or 2 minute check at power up time means there is time for a cup of coffee before throwing the brain in gear. A perceived delay every time the user runs a program is sand in the gearbox. My users have asked for a way to maintain relative health without checking each and every file on each and every load or copy. Since most infections come via floppies, restricting the checking to loads or copies from floppy seemed acceptable. I have learned that v84 of McAfee's VSHIELD has command line options to restrict which drives checks are done on. - -- "I'm up in the morning, before daylight; before I sleep the moon shines bright. Come a ti-yi-yippy-yippy-ay yippy-ay. Come a ti-yi-yippy-yippy-ay." -- from an old song, "The Chisholm Trail" ------------------------------ Date: Thu, 07 Nov 91 14:51:34 -0500 >From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Disk Compression (PC for now) >From: "Mark Aitchison, U of Canty; Physics" >Now (dare I say it?) for the question of the next generation of >viruses that "know" about Stacker and SuperStore, etc. I presume that >such viruses would have to be big, and they're hardly likely to handle >all the brands and versions of compression software out there. Doubt it - the Jerusalem (& any other virus that follows DOS Disk access techniques) will work just fine. What is going to have trouble is anything that tries to lock/access the FAT directly. >The down side is that virus scanners are going to have to understand a lot >about compressed disks (in conjunction with all sorts of other drivers >and hardware) to ensure there isn't a "super virus" there. Not too >much of a disadvantage, IMHO. Same comment. Incidently DiskSecure works just fine with SuperStore etc as do the other products I have tested (VSHIELD, Virus-Safe, etc.) VSHIELD does have a problem loading high with DRDOS 6.0 but have been promised a fix. Have had more problems trying to install Windows (have WordStar for Windows coming in & was SuperStor impetus) since each time I try to load it, the installation blows up & am left with a corrupt disk. DR wasn't surprised & I suppose I am just going to have to "trick" something. Whoopie. Incidently, DS I protects itself, the MBR, hidden sectors, & the DOS boot record - I do not understand why something else (mentioned in this issue but I forget the name) would have a problem - to me it would be *more* difficult to just protect part of a disk. DS II will just allow extension of write protection to a whole disk just like DS I prevents BIOS (not DOS) formats to any track. RSN 8*). Padgett ------------------------------ Date: Fri, 08 Nov 91 10:17:01 -0500 >From: Loren Mendelsohn Subject: False Alarm (PC) ATTENTION! McAfee SCAN82 falsely identifies one of the files on the DayStar Digital LT200 PC LocalTalk software disk as being infected with the Posessed Virus. The falsely identified file is the DNET2.COM file. When contacted, DayStar Digital stated that Central Point's virus detection software will not identify the virus, nor will the latest version of McAfee Scan (SCAN84). Loren Mendelsohn Wayne State University Detroit, Michigan ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 214] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253