Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA18366; Tue, 5 Jun 90 14:43:05 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA19152; Tue, 5 Jun 90 14:43:04 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA20978; Tue, 5 Jun 90 14:42:54 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa29912; 5 Jun 90 17:45 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 05 Jun 90 14:06:44 BST Message-Id: <$TGVGDBVHCNZJ at UMPA> Subject: Virus-L vol 0 issue #0620 Virus-L Digest Mon, 20 Jun 88, Volume 0 : Issue #0620 Today's Topics forwarded historical comments from Reid Fletcher C compiler "virus": enough! Re: reply to "Banish The List" Product demonstration report ** no subject, date = Mon, 20 Jun 88 23:42:03 EDT Going to Jail and not even getting $200 ------------------------------ Date: Mon, 20 Jun 88 08:39:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded historical comments from Reid Fletcher Date: Fri, 17 Jun 88 17:56:40 MDT From: fletcher@UWYO.BITNET (Reid Fletcher) I became aware of viruses or virus-like codes around 1973. My mentors informed me of virii in existence (at least in idea form) in 1968. This places these creations firmly in the mainframe era. I remember hearing about self-replicating code in college in 1973 *for certain* although I can't recall the context. It was discussed in benign and malevolent scenarios. I had also been informed of a virus like code implanted in a piece of software that was actually distributed by the vendor. It was benign (sort of). It existed on SDS Sigma series machines running UTS (later CP-V) which had the Extended Fortran-IV compiler. The trap operated like this. If a users' source code contained the statement *GO TO JAIL (assigned GO TO) the compiler would issue an error code something along these lines: *Warning, go directly! Do not pass go. Do not collect $200. Then the compiler would cease compilation. The programmer that planted this little trick went to some trouble to disguise it. The recognition string in the compiler was coded in as a series of bytes in their decimal equivalents of the appropriate EBCDIC codes, along with totally misleading commenting. The string was declared external and actually referenced in a different module by code that was also misleadingly commented. A dedicated analyst could find it if they looked hard enough and had sufficient access to the system and listings. Reid Fletcher * GO TO JAIL and WARNING, GO DIRECTLY!... are taken from the MONOPOLY game, of course, which is property, and a trademark of Parker Brothers. Kenneth R. van Wyk Calvin: When I take a bath, I always User Services Senior Consultant put my rubber ducky in the Lehigh University Computing Center water first. Internet: Hobbes: For companionship? BITNET: Calvin: No, to test for sharks! -------------------- Date: Mon, 20 Jun 88 12:11:58 GMT Reply-To: Malcolm Ray Sender: Virus Discussion List Comments: Warning -- original Sender: tag was malcolm@JVAX.CLP.AC.UK From: MALCOLM@JVAX.CLP.AC.UK Subject: C compiler "virus": enough! Joseph Sieczkowski writes: > >I have heard of a more insidious version of such a virus which lived in the > >C compiler executable and the login executable. The login executable > >allowed anyone who typed in a certain userid to log in as root without needin > >a password, the compiler executable recognised that it was compiling "login" > >an inserted the extra code - it also recognised if it was compiling a C > >compiler and inserted the recognition code in that! Thus no trace of the > >virus appeared in any source code. > > > I believe that the rumor that you are speaking of is that of the first > C compiler. Supposedly the authors (Kerningham and Ritchie) put this > little chunk of code in so they could log into any unix system. If the > processes were listed, someone was running login (in actuallity, they > were floating around the system.) This problem was quickly fixed with > the next version. > > joes@scarecrow.csee.lehigh.edu > > > PS: Fred Cohen briefly mentioned in his thesis that the NSA was rumored > to having something like this floating around on various systems. > As to its truth, I have no idea. Haven't we had enough unconfirmed rumours? This one's even libellous (though I see Joseph has cleverly spelt Brian Kernighan's name wrong to halve his liability). Fact: Ken Thompson was the culprit, he described it in his 1983 Turing Award lecture (see Comm. ACM August 1984), and it wasn't his intention to provide himself with a worldwide Unix trapdoor. In fact, if anyone outside AT&T and Bell can *prove* to me that they have a current compiler with his Trojan I'll donate 10 pounds to the charity of their choice. Hey, wanna hear about the Vatican conspiracy in the VAX microcode? P.S. Of course, I'm not saying it *can't* be done, or that it *hasn't* been. But let's not get carried away, hmm? - ---------------------------------------------------------------------- Malcolm Ray JANET: malcolm@uk.ac.clp.jvax Senior Systems Officer BitNet: malcolm@jvax.clp.ac.uk City of London Polytechnic No other routes please! Unix is a registered ideology of AT&T -------------------- Date: Mon, 20 Jun 88 19:29:00 LCL Reply-To: Virus Discussion List Sender: Virus Discussion List From: Michael Wagner +49 228 8199645 Subject: Re: reply to "Banish The List" > -- David Meile writes... > May I also point out that such computer-viruses as the XMAS EXEC > ... were written by (supposedly) mature adults. I think XMAS EXEC was written by a university student. Having been one of those myself once, and having seen various pranks pulled by freshmen and the like, I'm not sure how appropriate the word 'mature' is here :-) Michael -------------------- Date: Mon, 20 Jun 88 17:27:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Product demonstration report I have just seen a demonstration of VACCINE. This program computes a 32 bit CRC for all or any known programs and permits them to run unimpeded. For any unknown program, it will exclude it altogether, or permit it to run only in a protective shell. At installation option, it will check the crc at boot time or at runtime. While the overhead for checking at boot time is noticeable, that for checking at run time is not. While the impact on the user for running in the protective shell is noticeable, this need not be done often and does not involve any special set-up or invocation. In addition to the obvious application of protecting a given machine against viruses, this product can also be useful in protecting communities of machines. It can also be used for limitng users to authorized programs and for helping to ensure sompliance with license agreements. This program is a product of Foundation Ware and must be distinguished from other products with similar names. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Mon, 20 Jun 88 23:42:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University I was just reading the reaview of "VAccine" by FoundationWare. I had the opportunity (with Chris Bracy and Joe Sieczkowski) to go out to San Francisco recently (I'm an East Coatster myself), and test out Vaccine for FoundationWare. To tell the truth, its a very good package for businesses and government, but I wouldn't recommend it for the average programmer. Several other companies have released anti-viral programs based on the Vaccine Shell, and I remain against the idea. The probelem with a shell is that you must OKAY software before you run it. That means if you are writing a program, you must take a bunch more keystrokes to okay it each time you run it. With Vaccine, that often takes some doing. I can't compalain abou tit though. It does stop any virus I've run accross yet. And it is probably good for places that do no programming. Unfortuanatley (please excuse my typing, I am on a dumb terminal with no backspace or delete!) I remain unimpressed with most anti-viral packages. I haven't found one that I truely like. FoundationWare's owner challedned Chris, Joe and I to try to break their program, and we were able to come up with a few designs to do it in just under 10 minutes. Average viruses woul,dn't come up with what we doid however. Of all the shell programs, Vaccine is one of the best, but again, I would not use one. You cannot program. Your compute becomes an isolated machine. ( Loren Keim -------------------- Date: Mon, 20 Jun 88 23:12:13 PST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Tim Streater (415) 926-2743" Subject: Going to Jail and not even getting $200 I have worked with the Xerox compiler that gave the cute $200 message. It was when I worked at CERN, on a Cii 10070 (a French identical copy of a Sigma 7). However I am not aware that it stopped compiling after generating the message. Near as I could tell it just issued a warning and carried on. Mind you, I didn't make a habit of using JAIL as a variable in a GOTO statement, just did it once or twice for fun. So I could easily not have noticed that behaviour. Tim Streater / SLAC-SCS Networking Development. -------------------- *** end of Virus-L issue ***