Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA21768; Thu, 7 Jun 90 18:06:29 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA16452; Thu, 7 Jun 90 18:06:24 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA14908; Thu, 7 Jun 90 18:06:12 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa27998; 7 Jun 90 20:11 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Thu, 07 Jun 90 15:31:04 BST Message-Id: <$TGVGDBVHFKTJ at UMPA> Subject: Virus-L vol 0 issue #0701 Virus-L Digest Fri, 1 Jul 88, Volume 0 : Issue #0701 Today's Topics Re: OS/2 and virii New UK Virus Questionable Ads Re: Some BYTES from fidonet (sorry) Re: do you believe in magic? Forwarding a colleague's reply ------------------------------ Date: Fri, 1 Jul 88 13:08:00 ECT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ole-Hjalmar Kristensen +47-7-592760 Subject: Re: OS/2 and virii Adam Lewis writes : "Once someone has managed to get superuser priv. then the writing of a virus is within the realm of possibility." It is NOT necessary to have any special privileges under UNIX to make a virus, on the contrary, making a virus is probably one of the "better" methods to attack the security of a UNIX system. Virii can be created by anyone who has access to the compiler and linker and some knowledge of the format of an executable file. Once the virus is created, it can be inserted into a copy of a system program, for example ls. This infected ls can then be spread to all directories where the creator has write access, and the first time a user tries to list the files, it will infect any other executables owned by this user. I have tried this myself, using a harmless virus which is intentionally built so that it needs a specific file to propagate itself. The UNIX system on which the test was performed is isolated from our other machines in order to avoid uncontrolled infection. Furthermore, the virus maintains a log which shows all executables infected. This virus has successfully infected programs such as ps, ls, sh as well as other executables I will not go into any details about how the virus works, but it was created in approximately two days of work. One day to dig up the necessary information, and another to implement and test it. I have drawn the following conclusions from this experiment : * Creating a UNIX virus is simple. * The infection can spread from user to user. * As soon as the superuser runs an infected program, the virus can get superuser privileges. Ole Kristensen -------------------- Date: Fri, 1 Jul 88 10:36:42 CDT From: Will Martin -- AMXAL-RI Subject: New UK Virus The following is a complete item from the FEDERAL BYTES column (p. 42) of the June 27, 1988, issue of Federal Computer Week, which just arrived in today's mail (July 1): Oh, No - Not Maggy! Sources of reasonable reliability within the British Ministry of Defense (MoD) report that a computer virus has broken out. It seems that MoD uses a number of Macs, largely for graphics but some of them for word processing. Whenever anyone writes "Margaret Thatcher" or "prime minister", the screen [image] vanishes, along with whatever was on it. In the place of the missing document appears a picture of Maggy, with a Union Jack behind her. MoD, say our sources, has not found a cure. - ------------------------------------------------------- Does anyone know anything else about this? If true, this is probably an example of someone infecting a computer `manually' and leaving it sit for someone else to trigger. Digitized pictures on the mac can take up quite a bit of space (20-30k?) on a disk, that would probably be easy to notice. Then again, on macs, the only place it tells you how big your file is is when you ask for a `by-name' description, and even then sizes are only given in kilobytes. Andy -------------------- Date: Fri, 1 Jul 88 18:04:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski Subject: Questionable Ads Over the course of the last 6 months, I've seen numerous questionable ads concerning virus protection software. However, the one SysteMate Incorporated placed in the June 6'88 Info-World on page 58 takes the cake. The ad starts with the caption "You had better STOP VD, before it stops you", and follows with the typical scare-tactic approach. In the ad, SysteMate states that SecurMate is "the only software package that GUARANTEES you protection against all strains of VD." Furthermore, it seemingly (<- note this word) challenges anyone who breaks the program a 60% controlling interest in the company. If that's not incentive, what is? I can picture everybody and his brother trying to develop viruses to do this. Personally, I lock horns with enough viruses, I don't need more. I took the liberty of calling the company. I know there is no 100% effective "software" method of protecting a PC (an unsecure system where real memory and the i/o ports can be directly addressed). During my conversation with one of the technical people (an ex-NSA person no less), I questioned the method of protection. Although quite sophisticated, I proposed a viral method which could probably circumvent the protection. (I rather not go into the specific method here.) However, this method implied that I put a PD piece of software on the system containing the virus. The answer I received was something like "How can you expect your system to be secure if you subject it to untrusted software." To which I replied, "If all my software was trusted, I wouldn't need your package." At this point I inquired about there offer. Apparently their offer of "breaking there system" implies being able to read a message that they ran through their one-way encryption scheme. The end of the article stated "our highly satistfied customer base, each with hundreds or thousands of copies installed, include the Austrailian Postal Department, Chase Manhatten, Citibank, Donaldson, Dupont, EXXON, General Motors, Generall Electric, Honeywell, IBM, Mobil, NSA and other government entitlies, Nynex, Pacific Telesis, Prudential, Rockwell International and many others." I didn't check this out, but I find it hard to beleive. (If your from one of these organisations, please comment.) Perhaps all of these agenties bought an evaluation copy. Misleading advertising on this area has run rampant. -------------------- Date: Fri, 1 Jul 88 11:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Some BYTES from fidonet (sorry) In-Reply-To: Message of 30 Jun 88 18:00 EDT from "Len Levine" Hurrah for Lee Kemp! That is an incredibly valuable piece of work. I wish that I had said it. While the INTERNET is not quite as open as FIDONET, there are numerous gates and lots of traffic between them. Therefore, whatever applies to them applies equally to us. As I reported earlier, work is going forward. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Fri, 1 Jul 88 11:09:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: do you believe in magic? In-Reply-To: Message of 30 Jun 88 18:48 EDT from "me! Jefferson Ogata" >God forbid that anyone should actually write an operating system or >compiler. Just think of the damage that would cause to everyone's >data. It's THIS kind of unjustified fear (superstition) that prevents >progress along so many different paths. A virus is a PROGRAM. That >program has certain characteristics that one can use to one's advan- >tage. It seems to me that a number of people out there are terrified >by one word: 'virus'. This fear of viruses prevents them from even >considering the possibilities for code using viruses. It is not the wand that we fear. It is not even the magician. It is the apprentice. We are particularly afraid of the apprentice who thinks that he knows what the magician does not even pretend to know. >The simple truth is that viruses ARE controlled entities. They do what >they are supposed to do when they are properly written. The COMMAND.COM >virus, for example, infects COMMAND.COM. It performs a deterministic >action on COMMAND.COM, then trashes the disk. It doesn't infect other >environments, only those running under DOS with COMMAND.COM. It would >be difficult, in fact, to write viruses with potential for infecting >multiple environments. For example, the above suggests to me that the author does not understand the difference between the execution environment and the system population of which it is a part. The creators of the Pakistani virus could predict exactly how it would behave in a PC; they had no idea how it would behave in the world. The creator of the XMASCARD knew how it would behave in a CMS environment. He might make some intelligent predictions about how it would behave in BITNET. He could not possibly have known how it would behave in VNET even if he could have predicted that it might end up there. It is not the potential for infecting multiple unlike environments that concerns me. It is the ability to know the extent of the intended environment. >It would >be difficult, in fact, to write viruses with potential for infecting >multiple environments. True. A virus is target specific. For example: >If we're following the analogy of biological >viruses, consider how they work, which is quite similar to computer >viruses. A biological virus consists of a head and some legs. The virus >has a key which matches a particular site on a cell, called the active >site. Viruses can only infect those cells that have an active site on >them corresponding to the virus key. This site is the location where >the virus DNA material is injected. Because of this, biological viruses >are well-suited to the fighting of cancer. If a virus can be tailored >to find an active site that exists only on cancer cells, it will destroy >cancer cells throughout the body. When there are no more cancer cells, >the virus will die. If biological computers can be added to these >viruses, they can be programmed to die after n generations, thus >preventing the possibility of spread to other animals whose cells might >carry the same active site. Which, of course, admits of the very danger that concerns us. That is, that there is something in the environment, unknown to the creator of the virus, that is vulnerable to it. Cancer has demonstrated itself to be highly resistant to many strategies. We might be justified in taking some risk to deal with it. Almost any problem that will yield to a program virus, also yields to other programs without the uncertainties of a virus. Of course, Mr. Ogata does not admit to much uncertainty. And, I am sure, that he can hypothesize some problem that will justify continued experimentation on which so many seem bent. One can only argue for the truth that he sees. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Fri, 1 Jul 88 10:57:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Forwarding a colleague's reply A colleague had the attached reaction to the signature-authentication idea that the FidoNet article suggests. (My own reaction is that Kemp dismisses the possibility of CRC-type protection way too lightly; "can be easily bypassed", indeed!) Perhaps someone with the right access could send it on its way back to Mr. Kemp? DC Re: Lee Kemp's FidoNet article As I see it, the purpose of this 'tamper-proof' packaging is to prevent the program from being infected from the time it leaves the author or factory until it reaches my hot little hands. This has several advantages over the current state of affairs, and should be encouraged, but also leaves plenty of exposures. The advantage of the scheme is: * One can be quite sure that the product has not been tampered with since its encryption. If it comes from a commercial manufacturer, listing the public decryption key in the docs, one can be sure that one has the right program and that it hasn't been infected since its packaging. Disadvantages/Exposures: * In the case of shareware, a malicious person could decrypt the program, infect it, and then re-encrypt it with a new pair of keys. Wily Hacker could then pose as the author on any bulletin board not requiring user authentication, and thereby spread the infected version. Soon there are two or more versions of the program (with different keys) floating about, and people will not know which one is the clean one. Considerable FUD. Some will be infected before discovering that there is a danger, as the result of a false sense of security brought on by the nature of the packaging. * If the developer's machine is infected, then there is a very good chance that the new program will be infected. This scheme would not have prevented the Aldus Freehand/MacMag incident. * Boot block and operating system viruses will continue as usual. * If your machine is already sick, this does not prevent it from infecting the executable once you have removed the protective packaging. * An infected encryption/decryption program could do all sorts of nasty things. Dan Hankins -------------------- *** end of Virus-L issue *** Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25767; Tue, 12 Jun 90 06:24:35 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12869; Tue, 12 Jun 90 06:24:32 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA03909; Tue, 12 Jun 90 06:24:09 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09084; 12 Jun 90 10:59 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:01:48 BST Message-Id: <$TGVTCZHTCBKW at UMPA> Subject: Virus-L vol 0 issue #0701 Virus-L Digest Fri, 1 Jul 88, Volume 0 : Issue #0701 Today's Topics Re: OS/2 and virii New UK Virus Questionable Ads Re: Some BYTES from fidonet (sorry) Re: do you believe in magic? Forwarding a colleague's reply ------------------------------ Date: Fri, 1 Jul 88 13:08:00 ECT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ole-Hjalmar Kristensen +47-7-592760 Subject: Re: OS/2 and virii Adam Lewis writes : "Once someone has managed to get superuser priv. then the writing of a virus is within the realm of possibility." It is NOT necessary to have any special privileges under UNIX to make a virus, on the contrary, making a virus is probably one of the "better" methods to attack the security of a UNIX system. Virii can be created by anyone who has access to the compiler and linker and some knowledge of the format of an executable file. Once the virus is created, it can be inserted into a copy of a system program, for example ls. This infected ls can then be spread to all directories where the creator has write access, and the first time a user tries to list the files, it will infect any other executables owned by this user. I have tried this myself, using a harmless virus which is intentionally built so that it needs a specific file to propagate itself. The UNIX system on which the test was performed is isolated from our other machines in order to avoid uncontrolled infection. Furthermore, the virus maintains a log which shows all executables infected. This virus has successfully infected programs such as ps, ls, sh as well as other executables I will not go into any details about how the virus works, but it was created in approximately two days of work. One day to dig up the necessary information, and another to implement and test it. I have drawn the following conclusions from this experiment : * Creating a UNIX virus is simple. * The infection can spread from user to user. * As soon as the superuser runs an infected program, the virus can get superuser privileges. Ole Kristensen -------------------- Date: Fri, 1 Jul 88 10:36:42 CDT From: Will Martin -- AMXAL-RI Subject: New UK Virus The following is a complete item from the FEDERAL BYTES column (p. 42) of the June 27, 1988, issue of Federal Computer Week, which just arrived in today's mail (July 1): Oh, No - Not Maggy! Sources of reasonable reliability within the British Ministry of Defense (MoD) report that a computer virus has broken out. It seems that MoD uses a number of Macs, largely for graphics but some of them for word processing. Whenever anyone writes "Margaret Thatcher" or "prime minister", the screen [image] vanishes, along with whatever was on it. In the place of the missing document appears a picture of Maggy, with a Union Jack behind her. MoD, say our sources, has not found a cure. - ------------------------------------------------------- Does anyone know anything else about this? If true, this is probably an example of someone infecting a computer `manually' and leaving it sit for someone else to trigger. Digitized pictures on the mac can take up quite a bit of space (20-30k?) on a disk, that would probably be easy to notice. Then again, on macs, the only place it tells you how big your file is is when you ask for a `by-name' description, and even then sizes are only given in kilobytes. Andy -------------------- Date: Fri, 1 Jul 88 18:04:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski Subject: Questionable Ads Over the course of the last 6 months, I've seen numerous questionable ads concerning virus protection software. However, the one SysteMate Incorporated placed in the June 6'88 Info-World on page 58 takes the cake. The ad starts with the caption "You had better STOP VD, before it stops you", and follows with the typical scare-tactic approach. In the ad, SysteMate states that SecurMate is "the only software package that GUARANTEES you protection against all strains of VD." Furthermore, it seemingly (<- note this word) challenges anyone who breaks the program a 60% controlling interest in the company. If that's not incentive, what is? I can picture everybody and his brother trying to develop viruses to do this. Personally, I lock horns with enough viruses, I don't need more. I took the liberty of calling the company. I know there is no 100% effective "software" method of protecting a PC (an unsecure system where real memory and the i/o ports can be directly addressed). During my conversation with one of the technical people (an ex-NSA person no less), I questioned the method of protection. Although quite sophisticated, I proposed a viral method which could probably circumvent the protection. (I rather not go into the specific method here.) However, this method implied that I put a PD piece of software on the system containing the virus. The answer I received was something like "How can you expect your system to be secure if you subject it to untrusted software." To which I replied, "If all my software was trusted, I wouldn't need your package." At this point I inquired about there offer. Apparently their offer of "breaking there system" implies being able to read a message that they ran through their one-way encryption scheme. The end of the article stated "our highly satistfied customer base, each with hundreds or thousands of copies installed, include the Austrailian Postal Department, Chase Manhatten, Citibank, Donaldson, Dupont, EXXON, General Motors, Generall Electric, Honeywell, IBM, Mobil, NSA and other government entitlies, Nynex, Pacific Telesis, Prudential, Rockwell International and many others." I didn't check this out, but I find it hard to beleive. (If your from one of these organisations, please comment.) Perhaps all of these agenties bought an evaluation copy. Misleading advertising on this area has run rampant. -------------------- Date: Fri, 1 Jul 88 11:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Some BYTES from fidonet (sorry) In-Reply-To: Message of 30 Jun 88 18:00 EDT from "Len Levine" Hurrah for Lee Kemp! That is an incredibly valuable piece of work. I wish that I had said it. While the INTERNET is not quite as open as FIDONET, there are numerous gates and lots of traffic between them. Therefore, whatever applies to them applies equally to us. As I reported earlier, work is going forward. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Fri, 1 Jul 88 11:09:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: do you believe in magic? In-Reply-To: Message of 30 Jun 88 18:48 EDT from "me! Jefferson Ogata" >God forbid that anyone should actually write an operating system or >compiler. Just think of the damage that would cause to everyone's >data. It's THIS kind of unjustified fear (superstition) that prevents >progress along so many different paths. A virus is a PROGRAM. That >program has certain characteristics that one can use to one's advan- >tage. It seems to me that a number of people out there are terrified >by one word: 'virus'. This fear of viruses prevents them from even >considering the possibilities for code using viruses. It is not the wand that we fear. It is not even the magician. It is the apprentice. We are particularly afraid of the apprentice who thinks that he knows what the magician does not even pretend to know. >The simple truth is that viruses ARE controlled entities. They do what >they are supposed to do when they are properly written. The COMMAND.COM >virus, for example, infects COMMAND.COM. It performs a deterministic >action on COMMAND.COM, then trashes the disk. It doesn't infect other >environments, only those running under DOS with COMMAND.COM. It would >be difficult, in fact, to write viruses with potential for infecting >multiple environments. For example, the above suggests to me that the author does not understand the difference between the execution environment and the system population of which it is a part. The creators of the Pakistani virus could predict exactly how it would behave in a PC; they had no idea how it would behave in the world. The creator of the XMASCARD knew how it would behave in a CMS environment. He might make some intelligent predictions about how it would behave in BITNET. He could not possibly have known how it would behave in VNET even if he could have predicted that it might end up there. It is not the potential for infecting multiple unlike environments that concerns me. It is the ability to know the extent of the intended environment. >It would >be difficult, in fact, to write viruses with potential for infecting >multiple environments. True. A virus is target specific. For example: >If we're following the analogy of biological >viruses, consider how they work, which is quite similar to computer >viruses. A biological virus consists of a head and some legs. The virus >has a key which matches a particular site on a cell, called the active >site. Viruses can only infect those cells that have an active site on >them corresponding to the virus key. This site is the location where >the virus DNA material is injected. Because of this, biological viruses >are well-suited to the fighting of cancer. If a virus can be tailored >to find an active site that exists only on cancer cells, it will destroy >cancer cells throughout the body. When there are no more cancer cells, >the virus will die. If biological computers can be added to these >viruses, they can be programmed to die after n generations, thus >preventing the possibility of spread to other animals whose cells might >carry the same active site. Which, of course, admits of the very danger that concerns us. That is, that there is something in the environment, unknown to the creator of the virus, that is vulnerable to it. Cancer has demonstrated itself to be highly resistant to many strategies. We might be justified in taking some risk to deal with it. Almost any problem that will yield to a program virus, also yields to other programs without the uncertainties of a virus. Of course, Mr. Ogata does not admit to much uncertainty. And, I am sure, that he can hypothesize some problem that will justify continued experimentation on which so many seem bent. One can only argue for the truth that he sees. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- Date: Fri, 1 Jul 88 10:57:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Forwarding a colleague's reply A colleague had the attached reaction to the signature-authentication idea that the FidoNet article suggests. (My own reaction is that Kemp dismisses the possibility of CRC-type protection way too lightly; "can be easily bypassed", indeed!) Perhaps someone with the right access could send it on its way back to Mr. Kemp? DC Re: Lee Kemp's FidoNet article As I see it, the purpose of this 'tamper-proof' packaging is to prevent the program from being infected from the time it leaves the author or factory until it reaches my hot little hands. This has several advantages over the current state of affairs, and should be encouraged, but also leaves plenty of exposures. The advantage of the scheme is: * One can be quite sure that the product has not been tampered with since its encryption. If it comes from a commercial manufacturer, listing the public decryption key in the docs, one can be sure that one has the right program and that it hasn't been infected since its packaging. Disadvantages/Exposures: * In the case of shareware, a malicious person could decrypt the program, infect it, and then re-encrypt it with a new pair of keys. Wily Hacker could then pose as the author on any bulletin board not requiring user authentication, and thereby spread the infected version. Soon there are two or more versions of the program (with different keys) floating about, and people will not know which one is the clean one. Considerable FUD. Some will be infected before discovering that there is a danger, as the result of a false sense of security brought on by the nature of the packaging. * If the developer's machine is infected, then there is a very good chance that the new program will be infected. This scheme would not have prevented the Aldus Freehand/MacMag incident. * Boot block and operating system viruses will continue as usual. * If your machine is already sick, this does not prevent it from infecting the executable once you have removed the protective packaging. * An infected encryption/decryption program could do all sorts of nasty things. Dan Hankins -------------------- *** end of Virus-L issue ***