Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA13983; Fri, 1 Jun 90 11:58:50 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA20796; Fri, 1 Jun 90 11:58:49 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA02561; Fri, 1 Jun 90 11:58:41 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa24177; 1 Jun 90 16:16 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Fri, 01 Jun 90 16:08:16 BST Message-Id: <$TGTWCZCFFBTC at UMPA> Subject: Virus-L vol 0 issue #0518 Virus-L Digest Wed, 18 May 88, Volume 0 : Issue #0518 Today's Topics Beware the turkey! :-) Re: CRC signatures not reliable at all ? Re: CRC signatures not reliable at all ? Re: CRC signatures not reliable at all ? forwarded submission ------------------------------ Date: Wed, 18 May 88 08:35:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Beware the turkey! :-) Here's a forwarded message that I got. The program described here looks almost like a new CHRISTMA EXEC - if anyone has any more information on this, please send it to the list. To: ICS@ruby-falls.ICS.UCI.EDU Subject: Warning! Date: Thu, 12 May 88 13:07:21 -0700 From: Tim Morgan Everyone should be aware of the program described in the following message. We don't want to have to restore any files for anyone... Date: Tue, 10 May 88 12:48:16 PDT From: Doug Fouts To: jwills@venera.isi.edu Subject: EMAIL WARNING I have just been informed by a friend of mine here at U.C.S.B. that there is a program being passed around via ARPAnet (and also some other computer networks) that is called "turkey". The instructions that are sent with the program say that when compiled and run the program will draw a nice picture of a turkey. I have been informed that the program is a (not very funny) joke. It does not draw a turkey, but it does erase all of the unprotected files in your directory. You might want to pass this information along to people you know who use the network, as I am doing. Doug Fouts - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = Badgers! We don't need = = Lehigh University Computing Center = no stinkin badgers! = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Wed, 18 May 88 14:49:00 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Wagner +49 228 8199645 Subject: Re: CRC signatures not reliable at all ? > From: Woody > > There is considerable hope, however. The computation involved in > obtaining r(x) is nontrivial. ...with a sufficiently large CRC > check signature and sufficiently many candidates for check > polynomials, our virus writer can't write an undetectible virus. There is a very important point here, which I think needs to be stressed more than Woody is stressing it. A virus sophisticated enough to defeat the nontrivial schemes being proposed should be detectable either by the space it consumes or the time it takes up. This really the best we can hope for in these CRC schemes; to force such a virus into the domain of the visible. But we still have to have the tools to 'see' with. Therefore, computer users need to have precise tools to account for: 1. All consumed and free disk space 2. All consumed and free main storage in the running system 3. All consumed cpu time over some period of time. These tools are anyways useful to micro owners who want to better understand the workings of their micros, but they become absolutely necessary to manage the problems that occur when virii start sprouting up. If a certain, theoretically-unchanged operation starts taking significantly longer, it may have been subverted. To an extent, provision for these tools needs to be built in. For example, there should be no unaccounted-for storage on disk; the map should show it all, including boot blocks, fats, (skinnies,) whatever. Michael -------------------- Date: Wed, 18 May 88 08:56:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: CRC signatures not reliable at all ? In-Reply-To: Message of Wed, 18 May 88 14:49:00 LCL from > This really the best we can hope for in these CRC schemes; to > force such a virus into the domain of the visible. > ... > If a certain, theoretically-unchanged operation > starts taking significantly longer, it may have been subverted. There certainly is a lot of truth in that; a virus that is sufficiently smart enough to get around the defense mechanisms proposed here would probably use enough CPU time such as to become noticable. Even the simple viruses seen so far can be noticed by someone who is truly used to the speed that his/her micro operates. However, you run into problems with this "method" of virus detection when (if?) you start to use multi-tasking operating systems like OS/2 and/or Un*x. Since several programs could be running at the same time in such a system, any one program could take a different amount of time to execute every time you run it. Ken P.S. I'm *not* trying to start a conversation on the merits of OS/2 vs. MS-DOS! Really, I'm not! - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = Badgers! We don't need = = Lehigh University Computing Center = no stinkin badgers! = = Internet: = = = BITNET: = = - ---------------------------------------------------------------------- -------------------- Date: Wed, 18 May 88 15:52:00 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Wagner new! +49 228 8199645 Subject: Re: CRC signatures not reliable at all ? > Even the simple viruses seen so far can be noticed by someone who > is truly used to the speed that his/her micro operates. However, > you run into problems with this "method" of virus detection when > (if?) you start to use multi-tasking operating systems like OS/2 > and/or Un*x. Since several programs could be running at the same > time in such a system, any one program could take a different > amount of time to execute every time you run it. This was exactly my point (I guess I didn't express it very well). On simple systems, real time is (perhaps) an adequate measure. On multi-tasking machines (for me it's not when or if, it's how long ago. OS/9 and AmigaDOS were my last two micro operating systems; between them it's been five years since I used anything simpler), you MUST have ways to measure CPU consumed BY TASK/PROCESS. This implies that OS designers must build dispatchers that attribute all CPU consumption to the various consuming tasks. > Ken Michael -------------------- Date: Wed, 18 May 88 14:53:44 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded submission Here's a forwarded message from J.D. Abolins: Re: Eric Rostov's request for copy of risks log on diskette... Eric or anyone else seeking for this and other files on diskette (5.25" >Diskette, msdos format), can snd me a stanped, self- addressed mailer to me at j. d. abolins 301 N. Harrison Street #197 princeton, NJ 08540usa (this is a mailing address only.) Daytime phone: (609) 292-7023 Besides the risks log, I have a number of other text files and articles concering the viruses. Photocopies of print articles can be made by arrangement. Re: the request to pass a message on virus-l to Eric Newhouse... I am going to send him a print copy of the message. Eric Newhouse, the developer of the dirty dozen listing, is not on bitnet. He is the sysop of the crest rbbs in california. the bbs number is (213) 471-2518. His mailing address is Eric Newhouse 1834 Old Orchard Road Los Angeles, CA 90049 usa Soon, I hope to send up the most recent version of the dirty dozen listing. j.d.abolins [Thanks for the generous offer J.D.!. -Ken] - ---------------------------------------------------------------------- = Kenneth R. van Wyk = = = User Services Senior Consultant = Shocked! Shocked I am at = = Lehigh University Computing Center = this despicable act! = = Internet: = = = BITNET: = = - ----------------------------------------------------------------------