VIRUS-L Digest Wednesday, 29 May 1991 Volume 4 : Issue 92 Today's Topics: re: FSP and sales figures (was: Into the 1990s) Re: Tequila virus (PC) Re: Dead vs Live: Commercial Necessity?? (some philosophizing added.) Re: A question regarding commercial dial-up services NVM's. A question regarding commercial dial-up services Quality vs. sales missing London Virus Conference FSP and sales figures (was: Into the 1990s) Interesting advert (PC) Interesting advert (PC) Question About Stealth Viruses Hoffman Summary & FPROT (PC) Re: Virus Statistics Addendum to FLU_SHOT+ Product Test (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Tue, 28 May 91 20:51:21 From: microsoft!c-rossgr@uunet.uu.net Subject: re: FSP and sales figures (was: Into the 1990s) >From: Y. Radai >... after three >years of existence FSP still has no provision for checking the >partition record (master boot record) ... Well, yeah: you're right, there. I've been busy with Virex-PC, but it probably *is* time for that feature to be added. > plus the fact that for any >given file, FSP gives the same checksum for all users, which (imho) is >a security hole. (At least, these were true the last time I looked.) Well, it is a single user system, after all....:-) No, I know what you mean and that you feel it should give different "seeds" for each system. I recall that discussion and that I felt (and still feel!) it's a good idea, but a tech support nightmare. > Since the vast majority of users >don't check for weaknesses like these before they buy a program like >FSP, high sales figures do not prove that the software is good. Actually, I think that very high sales figures causes inertia in a product: I really can't simply change the functionality of FLU_SHOT+ (or of Virex-PC) without pissing off a lot of people or adding in extra layers of backwards compatability. There are a buynch of things I'd love to change in each of the programs to make them far better programs, but that would break > 75K current users of the products. > You didn't react to my >statement that if the correlation were high, "we could completely >dispense with all the quality comparisons that are continually being >made in the literature, and simply quote sales figures." Is that what >you're suggesting? Not quite. However, a real dog of a product that simply doesn't work is, eventually, gonna be found out and will have zero sales volume. So, it would be safe to say that -- after enough time has passed -- sales volume would indicate that a bunch of people are happy with the program, and that this *may* be an indication that the product is of high quality (Hmmm, maybe this is turning into a submission for RISKS...) It's tough to decide on what determines the relative quality of a product, though: if a scanner does 500 viruses and scans your disk in two minutes and another scanner does 600 viruses and scans your disk in three minutes, which one is a "better" product? Does making it pretty, with a cool/spiffy GUI make it a "better" product? I would think that using the sales volume of a product along with *other* factors could help to decide what products to take a look at. But the quality *comparative* reviews are what makes a product's quality easy to see -- and relative to boot. It is this relativeity that changes, making quality a moving target. High sales figures indicates that what somebody is offering, somebody is buying. This must be taken into account in the equation, no? Ross ------------------------------ Date: Wed, 29 May 91 08:01:56 +0000 From: mrs@netcom.com (Morgan Schweers) Subject: Re: Tequila virus (PC) Greetings, Some time ago microsoft!c-rossgr@uunet.uu.net happily mumbled: >>From: mrs@netcom.com (Morgan Schweers) >> >> *Chuckle* It's a variant of the Flip virus, actually. A bit of >>psuedo-encryption code was added, and a bit of infection code was >>removed, but otherwise it's mostly flip-like. > >Interesting phrase, "psuedo-encryption". What, exactly, does it mean? There aren't any viruses which use anything that could be considered 'real' encryption (yeah, yeah, I know, 'define real'... We'll take it to sci.philosophy.meta, okay?) However, what I meant by 'psuedo-encryption' is a situation in which the METHOD is different each time. For example, the Tequila uses XOR *OR* ADDitive encryption. This is more than one form of encryption, so in referring to the entire group I call it psuedo-encryption. The same with the Whale, etc. It could also be called variable encryption if you wish. >Sorry: I don't count "wild card" strings as a search pattern. There's >too much chance for false positives. But, true, if you don't mind the >occasional false positive, I guess you could state that a search >string was available for Tequilaa. Odd that you would claim that... I could have sworn... Oh, never mind. Actually, if you are using five bytes to search for the virus, and someone else is using 15 (interspersed with a few wildcards), is it automatically to be assumed that the wildcarded one is going to be less specific? Do you have any statistics behind it? The most important thing is the person putting together a string. One has to realize that if one is going to use wildcards, one has to use more bytes to detect than one normally would. (For verification purposes.) There is also a second trick, used by some. When the file is detected as almost certainly being a virus, the decryption method is used on a portion of the file. That portion is compared against a standard, known block of code. If a match ISN'T made, the file is ignored. >> Dave Chess mentioned to me that the Tequila displays a low resolution >>Mandelbrot set upon activation. I haven't confirmed it, but I plan to. >>(Anybody want GIF copies when I do? *chuckle*) > >Sorry, I'l wait for the sequel: Tequila Part II: The Resolution >Improves! Yupyup. I figure the sequel will come around January... You know what I mean... A new years resolution increase... *duck* -- Morgan Schweers - -- My company has nothing to do with this. So there. Besides, most people here *HATE* bad puns! -- mrs@netcom.com ------------------------------ Date: Wed, 29 May 91 08:36:52 +0000 From: mrs@netcom.com (Morgan Schweers) Subject: Re: Dead vs Live: Commercial Necessity?? (some philosophizing added.) Greetings, >> Is the stoned virus, for example, so prevelent because it is well >> designed and/or defeats virus detection, or because it proceded the >> large increase in sites with virus detection programs. Does not, in > >I would say that Stoned is so successful because it exploits a flaw in >the PC architecture which is also our main ally in the fight against >viruses - booting from floppy. How many times have you seen a student >put their disk in the PC then switch it on? I do it by mistake myself >sometimes. Whether the author was a great visionary(!) or got lucky >doesn't matter, he was the first(?) to use the technique. Nope. The major reason the Stoned spreads is two-fold. 1) It's been around for a LONG LONG time. However, the Brain has been around just as long, so that can't be all of it. 2) It infects HD's. When it *HAS* infected an HD, it infects every single disk that passes through it. THAT is what makes it such a successful virus. The Brain didn't infect HD's, and is now reduced greatly in population. (Interestingly, though, I feel sure that there are more people infected with the Brain than are reported, since it *IS* the first stealth virus, and does a good job of hiding.) >> Without a continual influx of successful viruses, that is new ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I'd put 'successful' viruses at about one every month or so, recently. Those are viruses which were spread by someone with a knowledge of the dynamics of spreading these things. The kind of virus that hits a few thousand people in the first few weeks of it's life. A large percentage of those people aren't going to realize it's there. They'll be the 'typhoid PC' in that area, spreading it more and more. It also includes new viruses being spread by companies shipping software or hardware. ('getting lucky' in some folks terms.) These are viruses that the marketplace can expect to live with, because they weren't caught early enough to nip their spread. >> techniques, the only marketable force behind upgrades and/or market >> share are dead viruses. > >Cruel. Perhaps virus fighters ought to remember that their ultimate >goal, like doctors, is to make themselves redundant. A very important point. I hope one day to put myself out of this crazy business, and write a book about the insanity all over the field. Goodness, the personality conflicts alone would make for an wonderful novel, then we add in the hysterics of the commercial side of the business... Of course, a fictional bar scene with all the principal players would be...frightening. I picture these ten people suddenly realizing who else is at the bar, and the temperature dropping twenty to thirty degrees suddenly. *grin* Other patrons diving for cover, and huddling behind tables suddenly. Yupyup... For an industry this size, there's been a lot of backstabbing and slandering, etc. If people could RELAX it would be good. 'Course there's money in them thar PC's, and that changes some folks. Anyone care to make guesses on how long the Virus problem will be around? I'm still looking forward to writing that book. *grin* (A side and sad note... It is not us, the anti-viral researchers, who will kill the viruses once and for all. It's the OS writers who will finally produce an OS which supports the protections a machine needs. It's the users who will finally leave this damned MS/DOS troublemaker behind. THAT is when viruses will vanish, slowly but surely, and then we can all have a beer together and laugh about the nonsense of having to clean up behind Microsoft.) -- Morgan Schweers - -- "My tongue is firmly stuck in my cheek, and I'm rarely ever serious. One of my first quotes on the job was, 'So my job is to put myself out of a job, right? No problem!' I like to think that most AV folks share the opinion." -- mrs@netcom.com ------------------------------ Date: Tue, 28 May 91 21:55:26 -0700 From: msb-ce@cup.portal.com Subject: Re: A question regarding commercial dial-up services In a recent VIRUS-L posting, lev@suned1.Nswses.Navy.Mil (Lloyd E Vancil) refers to a recent tempest in a teapot about the cache file used by Prodigy and asks: Would it be possible; 1. for a memory resident virus to be scooped up by this service.. and return to reinfect the machine at a later date? Presumably by the service's reusing of the file fragment that contains the "screen primitive" and the "scooped" virus code. 2. for a virus to be written to take advantage of this transmission method? My understanding of this situation is that in order to cache TeleTex screens, the Prodigy service allocates about a meg of disk space and writes screens to it for later recall. Since the space is never erased (for performance reasons), it still contains remnants of old files that previously occupied the space. As far as I know, these remnants are never read from disk, much less transmitted back to the host. Somebody with a file viewer peered into this cache area one day and imagined that the software had gone to other files and "scooped up" their contents for some nefarious purpose. It is possible that the area allocated to STAGE.DAT might have previously contained an infected file, but since it should never be read before it has been written over there can be no question of it providing any sort of reservoir of infection. The answer, then, must be NO to both questions. ------------------------------ Date: Wed, 29 May 91 01:13:29 -0700 From: mmaxim@sc9.intel.com (Michael A. Maxim) Subject: NVM's. Hello people; I noticed some concern and confusion about E/EEPROMS on the Virus-l list lately, and, since I work at Intel's NVM development fab, I figured the least I could do was to clear things up a bit. Some of this is pretty pedestrian stuff, so you can skip to the end if you want... Definitions/explanations: NVMs - Non-Volatile Memories. ROMS, PROMS,EPROMS,EEPROMS, ferromagnetic DRAM's, etc. Memory storage devices that don't lose data when the power goes out. fab - Short for Fabrication. Place where silicon wafers are turned into semiconductor devices. Very clean, very very expensive factory. ROMs - Also called mask ROMs. Read Only Memories. Programming is done during manufacture. "Cheapest" memory for high volume use on static designs. Minimum order might be several-to-tens of thousand parts. Real peanut parts, these may only cost pennies apiece. PROM - Programmable Read Only Memory. These babies you program once. Heard the term "burn in a PROM"? Very literal saying. To program them, you actually fuse the innards into the configuration you want. Inexpensive unless you make lots of mistakes, 'cause they are either right or they are scrap. EPROM - Also called UV EPROM's. Invented by Intel 'way back inna '70's. An Erasable Programmable Read Only Memory. They are programmed electronically, and erased with ultraviolet light. They've got a little transparent window in the package just for that purpose (it's usually covered up with a sticker or something, though; even ambient light WILL eventually wipe them out...note also that if the package doesn't have a window then your EPROM is effectively a PROM. Lots of these are used in automobile engine controllers, bios chips, etc. Also pretty cheap, available commercially in densities up to 4mbit or so. EEPROM - Also called E2PROMS. These are Electronically Erasable Programmable Read Only Memories. You don't need UV to erase them. However, you do generally need at least 11 volts on one of the pins to erase/ program them. More on this later. More expensive than EPROMS, but still cheap in all but the largest sizes. Should replace EPROMs in most applications in the next few years, and may even take a big chunk out of the disk drive and DRAM markets. Flash - The hot rods of EEPROMs, also invented by Intel (of course. ~8^) ) They program and erase quickly and have fast access times. These are available in either bulk (entire bank or chip) or sector (single byte) erase versions. Their lifetime is measured in program/erase cycles. Some parts have lifetimes as low as 1000 erase/program cycles; these are useful for some applications that don't require many changes, but aren't any good for solid state disks or memory cards, for example. Other types have program/erase lifetimes of 100K+ cycles. (guess who makes those... ~8^) ) Right now there are many different manufacturers who make or plan to make Flash E2PROMS, including the market leader Intel, AMD, Seeq Technologies, Atmel, NEC, Hitachi, Toshiba, Oki, Mitsubishi, and maybe a couple others I missed. Here's a shameless plug for the company that signs my paychecks, and what seems to have caused the concern in the virus community. Intel has just recently introduced the 1mbit 28F001BX Flash. It's designed for use in PC operating system software and embedded control applications. Features include a security-protected 8kb block on the chip to boot applications, 2 4kb parameter blocks for configuration info, a 112kb main memory block, 150 ns access time and single byte erase. It's available in PDIP or PLCC (plastic dual inline package or plastic leaded chip carrier, I think...I just do wafers, not packaging) and costs $17.20 in quantities of 1000. What does security-protected mean? Good question. I'll see if I can find out. Here's my own $.02: unless a really clever virus finds a way to shove a sun lamp into your PC, you have nothing to worry about with EPROMs. As for EEPROMs and Flash chips, they look just like PROMs or EPROMs to your system. Unless your system is specially configured to reprogram them (remember that pin I mentioned earlier?) there is nothing ANY program could do to change an EEPROM. If some board maker actually wanted to enable software modification to the BIOS EEPROM, there is no reason that he couldn't do it; but that is a problem with the board and manufacturer, not the chips. Sorry so long winded. M2. `-_-' 'U` Have a day. DisClaimEr: I think most of the stuff above is pretty near correct, and of course I don't speak for Intel in any official or unofficial way. I also didn't have anything to do with the 28F001BX, but it does sound like a neat chip. ++===========================++=============================================++ || Michael A. Maxim || || || Intel California TD || "If all else fails, immortality can always|| || D2 Thin Films || be assured by spectacular error" || || 408/765-9435 || -John Kenneth || || MMAXIM%SC9@SC.INTEL.COM || Galbraith || ++===========================++=============================================++ ------------------------------ Date: Wed, 29 May 91 00:52:41 -0400 From: Valdis Kletnieks Subject: A question regarding commercial dial-up services >From: lev@suned1.Nswses.Navy.Mil (Lloyd E Vancil) > ... >(I'm not sure that the "service" retains a complete copy of it's > users "staging file"; after all they claim nearly 1 million > users and at ~1meg per user that's 10^12 bytes? (wow) And I'm > not sure the data from one user is seen by another's machine.) (wow)? Not really *that* awesome... This is only 1 terabyte (1000 gigabytes). Something the PC world has to remember is that the mainframe world is *designed* to deal with *very* large databases. For instance, we run a medium-large IBM mainframe shop (1 3090 and 1 3084, maybe 90MIPS between them), and we have 300 gigabytes of disk here - that's already 30% of that terabyte. And we're NOWHERE near capacity - rough back-of-envelope calculations show that a 3090 with 128 I/O channels (say 96 of them for disk, the rest for TP and tapes and the like) and 256 mod 3390 disks per channel (at 1.5 gigabytes a disk) can address 36 terabytes of disk storage. Unless I dropped a decimal point someplace, you'd only need a room about 250 by 200 feet to store this. (Yes, I know I'm over-simplifying channel loading and similar constraints - most *real* shops with this much disk run multiple CPU's, etc etc) Bottom line - out in the commercial world of major banks, stock brokerages, insurance houses, airline reservation systems, and other large corporations, a mere terabyte of disk isn't considered all that much. Valdis Kletnieks Computer Systems Engineer Virginia Polytechnic Institute ------------------------------ Date: Wed, 29 May 91 08:28:34 -0500 From: Ron Bullinger Subject: Quality vs. sales High sales volume = high quality (Totally bogus formula). Just because a product gets the blessing of the buying masses, not necessarily a majority concensus, doesn't mean a product is of high quality. Look at the pet rock. Alot of people bought them. Take any word processor. Whatever is the best seller today, wasn't always. When "the other word processor (fill in a name of one you like) was the most popular, was it of better quality? What about the Next computer, good quality but not a high volume seller. Once a product becomes popular, no matter how good the competition, it becomes the standard. Marketing is a good portion of how well a product sells. ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: missing London Virus Conference >From: microsoft!c-rossgr@uunet.uu.net >It ain't cheap Self explanitory Warmly, Padgett Somewhere West of Orlando ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: FSP and sales figures (was: Into the 1990s) >From: Y. Radai > Anyone else in this forum have an opinion on how high the correla- >tion is between quality of software and sales volume (for products in >the same price range)? a) price seems to have nothing to do with software quality unless you count documentation - its prettier with the high-priced ones. b) no complete package starts at the BIOS level yet therefore I don't give any a passing grade. (quantum economics). ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Interesting advert (PC) >From: "K.Stevenson" >It uses cryptographic checksums to monitor the state of >executables on a PC or file-server. Any change, however caused will >be detected. Since Vaccine does not need to know about particular >viruses in order to detect them, it is future proof. Once installed, >Vaccine will detect all viruses, past, present and future." Question: when does it go resident ? If from CONFIG or later, you know my opinion. Comment: 4096, EDV, INT13, Zenith 158 & 159 >From: john.blakeney@f1701.n713.z3.fido.oz.au (John Blakeney) >Subject: Virus detection via crcs >(crc) check is only effective way of looking for viral activity unless >search strings are known for the viruses listed in letters. trhere is >no known virus(to my knowledge which does not alter crc check. See above, a vital element in a good integrity management system, but not the only element. ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Interesting advert (PC) >From: "K.Stevenson" >It uses cryptographic checksums to monitor the state of >executables on a PC or file-server. Any change, however caused will >be detected. Since Vaccine does not need to know about particular >viruses in order to detect them, it is future proof. Once installed, >Vaccine will detect all viruses, past, present and future." Question: when does it go resident ? If from CONFIG or later, you know my opinion. Comment: 4096, EDV, INT13, Zenith 158 & 159 >From: john.blakeney@f1701.n713.z3.fido.oz.au (John Blakeney) >Subject: Virus detection via crcs >(crc) check is only effective way of looking for viral activity unless >search strings are known for the viruses listed in letters. trhere is >no known virus(to my knowledge which does not alter crc check. See above, a vital element in a good integrity management system, but not the only element. ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Question About Stealth Viruses >From: "Robert McClenon" <76476.337@CompuServe.COM> "STEALTH" is a buzzword used to denote any virus that attempts to hide itself from observation by intecepting calls that might be used to detect the virus and instead provides returns indicative of a clean system. The first "stealth" virus was also the first PC virus, the Pakistani BRAIN. On activation, it would go resident in memory, intecepting calls to the floppy disk. If the boot sector of an infected floppy was requested, it would return instead the real boot sector code that had been stored elsewhere on the disk. As far as I know, the firt time the word "stealth" was applied to a virus was to the 4096, a file infector that, when resident would intercept all calls for infected files, strip the viral code off, and return the original uninfected file to DOS so that signature scanners could be thwarted. Very quickly scanner authors added memory checking mechanisms to reveal these activities. The vulnerability is that for a "stealth" virus to be active, it must become resident and intercept calls that would reveal its presence. This residence is detectable, usually with nothing more complex than CHKDSK, if the user knows the meaning of the returns. Memorize: "655360 total bytes memory". ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Hoffman Summary & FPROT (PC) >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) >I have the March 17th P. Hoffman virus summary in front of me and >something has attracted my notice: The version of FPROT she refers to >is version 1.07. The current release is 1.15A and 1.16 is due out in >June. >Any reason why such an old version is used? Since I have not seen Patti on the net, will venture a guess: negative free time, a condition many of us suffer from. For me, enough PC software comes my way that I am ALWAYS at least five packages behind (received the 3.1 revision of _Coherant_ over a month ago & still haven't loaded the 3.0). Add to a "real" (i.e. family supporting) 60 hr/week job that does not put a PC on my desk & normal family life (Boy Scouts, maintenance on 7 toys [three adults, two teenagers, two adolecents], cruise night, etc.) & new software is normally accessed in my "free" time between midnight & 2 a.m. . Most of the "anti-virus reseachers" also have "real" jobs that have little to do with PCs (Ross and John excepted), this is probably why Europe and Canada lead the US in real research, testing, and laboratories. While a Novell network in my den closet (where my PCs are) is a possibility, it is not one that I have spent any time on, even if I had some ethernet cards (besides my Columbia has only one expansion slot & it is occupied). ------------------------------ Date: Tue, 28 May 91 17:11:07 -0400 From: padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) Subject: Re: Virus Statistics >From: rtravsky@CORRAL.UWyo.Edu (Richard W Travsky) >...the two we have now are Stoned and Ping Pong > I've a couple of unconfirmed reports that MusicBug is in town >(via FTP is what I've heard). Up until recently, boot sector infectors such as Stoned, Ping-Pong, & MusicBug have required physical contact with a floppy to spread. Only with TELEDISK or SENDDISK could an entire floppy (including boot sector) be sent electronically (e.g. FTP). The only other way for these viruses to spread via FTP would be if embedded in a trojan. ------------------------------ Date: Tue, 28 May 91 14:06:14 -0600 From: Chris McDonald ASQNC-TWS-R-SO Subject: Addendum to FLU_SHOT+ Product Test (PC) ADDENDUM for Product Test PT-27, May 1991, subject: FLU_SHOT+ Several days after transmitting PT-27 for FLU_SHOT+ the author sent me an electronic message, also posted to Virus-L, informing me that version 1.82 was now available. The author also advised me that the "free" demonstration copy of Virex-PC would no longer be included with FLU_SHOT+. While I was aware that a version 1.82 was available, I chose to limit my comments to version 1.81 because I had access to it through simtel20. As mentioned in the product test analysis, I have never received any official notification of FLU_SHOT+ upgrades even though I am a registered user. While INTERNET is usually faster than U.S. postal channels, it was not fast enough in this instance. The "free" Virex-PC demonstration is now available at many locations to include simtel20 in the path: pd1:virx14.zip I apologize for any inconvenience. ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 92] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253