Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA21884; Thu, 7 Jun 90 20:07:35 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA16821; Thu, 7 Jun 90 20:07:35 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA15898; Thu, 7 Jun 90 20:07:27 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa03214; 7 Jun 90 22:42 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Thu, 07 Jun 90 15:35:12 BST Message-Id: <$TGVGDBVHFKVT at UMPA> Subject: Virus-L vol 0 issue #0720 Virus-L Digest Wed, 20 Jul 88, Volume 0 : Issue #0720 Today's Topics simulators Re: VM/CMS viruses Re: VM/CMS viruses How to warn inexperienced users about viruses Re: VM/CMS viruses Write protect hardware Getting a handle on size ** no subject, date = Wed, 20 Jul 88 16:54:47 MEX Re: Write protect hardware HDSENTRY ------------------------------ Date: Wed, 20 Jul 88 02:44:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: simulators > As for VIRSIM, shelve it; it is useless. Virus simulators are viable ways to test virus protection software. If I were testing it, one thing I wouldn't do is use REAL viruses. The majority of virus problems presently are caused by known viruses, such as the BRAIN virus, and mutations therefrom. An appropriate way to test software designed to protect against such attacks is to simulate the attacks with an easily controlled substitute. Protecting against new and innovative viruses would be virtually impossible; nevertheless, we needn't discard the notion of virus simulation for known strains. Virus simulation is really quite close in principle to vaccination. Vaccines are designed to stimulate immune system response to a disease without incurring any real danger to the patient. Virus simulators are a good test for virus-protection software, as they also incur no real danger to the patient (hopefully). Should we stop manufacturing influenza vaccines just because the flu changes every year? I am certainly not endorsing this particular simulator, VIRSIM, as good evidence has been presented that it may be a corporate marketing ruse. There are other simulators out there. I'd say use them in good health. - Jeff -------------------- Date: Wed, 20 Jul 88 12:57:17 SET Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Reichetzeder" Subject: Re: VM/CMS viruses In-Reply-To: Message of Fri, 24 Jun 88 10:07:00 URZ from I don't know if the following scenario has already been addressed. Use of PCs both as PC and Terminal is wildly increasing at our site. More and more products are available to connect to hosts (ECF, FBSS, Kermit, ...). Future plans for our site include LAN, bridges to EtherNet and who knows what else. There will (must) also be some "public" PCs for software-demo, assitance, utilities (e.g. copying diskettes to different format), students, ... REMARK: most of the PCs are "outside" our institution, i.e. other Institutes/ Clinics connecting to the mainframe own those PCs. I fear that there is a "good" chance that (almost) all PCs get infested from the public ones - not necessary by deliberate action. It could come from a user who caught a virus by accident and uses the public PC to copy some diskettes. What if a Trojan connection program (e.g. 3270 emulation) spreads around? It could steal *host* passwords and make use of the LAN to send them to the hacker. It could also be used to infest the host (CMS in our case). Any comments, suggestions, experiences, war stories, ...??? Some specific questions: * is it better if the "public" PCs have *NO harddisk* ? * should we offer host access in "public" PCs or not ? * anyone ever heard of installing a "controlled" PC as a "bait" ? Christian -------------------- Date: Wed, 20 Jul 88 07:38:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: VM/CMS viruses In-Reply-To: Message of Wed, 20 Jul 88 12:57:17 SET from >What if a Trojan connection program (e.g. 3270 emulation) spreads around? > * is it better if the "public" PCs have *NO harddisk* ? > * should we offer host access in "public" PCs or not ? > * anyone ever heard of installing a "controlled" PC as a "bait" ? This sort of thing is certainly a very real problem, primarily at universities which have publically accessible micros. It turns out that these public micros are probably about the best incubating environment that you could imagine for a virus or trojan terminal emulator, etc. Here at Lehigh, we've done the following to try to reduce this risk: 1) All public micros are dual floppy machines; most of which are connected to LANs (Novell on 3COM boards). 2) All boot disks (with Novell software on) are notchless disks, and they contain nothing other than the operating system boot files and the Novell software. 3) All Novell hard disks (on the file servers) are read only, with the exception of a scratch area where users can place temporary files. 4) The scratch areas get cleaned (i.e., erased) periodically by our student employees. 5) Users logging into the LAN are not automatically placed in the scratch directory. (Recall that, in MS-DOS, the current working directory is always searched for executables before the PATH is...) The above methods are probably not infallible (sp?), but what is? Yes, I do think that it is worthwhile to have public micros, but you *HAVE* to take some basic precautions. Offering host access from your public micros should be a must; at least, depending upon how your computing facility is set up. We have very few data terminals any more; almost all mainframe access is via PCs connected to our digital voice/data PBX. As far as setting up a controlled PC as bait; it sounds rather expensive, but what form of bait did you have in mind? Ken Kenneth R. van Wyk From the Devil's Dictionary: User Services Senior Consultant Barometer - an ingenious device Lehigh University Computing Center designed to inform the user what Internet: the weather is. BITNET: -------------------- Date: Wed, 20 Jul 88 12:00:09 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Lois Buwalda Subject: How to warn inexperienced users about viruses Hi! I'm in the process of writing a BITNET help guide for beginning computer users. Since I have to explain to these users how to send and receive files, I would also like to include a section on viruses. Thus, I was wondering what you guys think beginning users should be told about them (i.e., what can be done to minimize the spread of them, etc.). Please keep in mind that these people know very little about computers, so telling them to carefully read through all programs before running them wouldn't help a whole lot. Anything else I can tell them besides the obvious "don't receive any files from people that you don't know"? If you want to reply directly to me, I will summarize the responses over the list later. Thanks! Lois -------------------- Date: Wed, 20 Jul 88 15:26:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Re: VM/CMS viruses In-Reply-To: Message of Wed, 20 Jul 88 12:57:17 SET from >What if a Trojan connection program (e.g. 3270 emulation) spreads around? It >could steal *host* passwords and make use of the LAN to send them to the >hacker. It could also be used to infest the host (CMS in our case). I'm new to this list. I wanted to point out that in regard to corrupted terminal emulators that steal passwords and send them to a "hacker", this probably is not the way it would happen. Such an emulator would have to have the "address" of the "hacker" in order to forward passwords to him, right? That leaves the "hacker" vulnerable to discovery and identification, and most intelligent "hackers" would not take such a risk. On the other hand, the program could store userids and passwords, hidden on disk somewhere, and the "hacker" could later come along and extract this information. Or maybe such an emulator could be set up to respond remotely to the queries of the person who planted it. Steve -------------------- Date: Wed, 20 Jul 88 20:03:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Write protect hardware Is there any way to design code so that a disk write to a write-protected disk will NOT generate a write error message? -------------------- Date: Wed, 20 Jul 88 20:05:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Getting a handle on size I just thought of a purely hypothetical question which may or may not be of value to this discussion. Supposing you were the ideal computer user and initialised your system by checksumming all your files initially followed by regular repeats, and using programs like CHK4BOMB, BOMBSQAD, and/or FSP regularly. You also believe in the value of a well-placed write protect tab and have the latest software protection for your hard drive. You have also made your important files read-only using some attribute changing utility. Along comes virus writer X who wants to destroy your system for perverted kicks. What type of virus could this person design to circumvent all these measures, what is the minimum size it could possibly be, and how much would it slow down processing time (to the detectable level? not at all?)? Obviously almost no one has write protect tabs on their disks all the time. -------------------- Date: Wed, 20 Jul 88 16:54:47 MEX Reply-To: Virus Discussion List Sender: Virus Discussion List From: SISTEMAS@VMTECMEX Hi there: I'm new to the list but I think it's real good. I would like to get a virus simulator to evaluate a protection developed here.I'd like it better if it's an "independent" simulator ( not VIRSIM ). Any suggestions? ( please be specific about it ). Thanks in advance for your valuable help. Arturo Torres. Soft.Eng.Dep. ITESM Mexico City. Mexico. -------------------- Date: Wed, 20 Jul 88 22:39:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Brian Holmes Subject: Re: Write protect hardware In-Reply-To: Your message of Wed 20 Jul 88 20:03:40 EDT It is very easy to tell if a disk is write protected through specific calls to the operating system, so yes you can design code to not issue a write protect error, if a disk has been write protected. ******************************************************************* * Brian Holmes \ / ___ * * Wayne State University \/\/su | | * * Detroit Michigan ____| |____ * * | | | | * * BITNET : BHOLMES@WAYNEST1 | | | | * * INTERNET : Brian_Holmes%WU@UM.CC.UMICH.EDU | | | | * * UUCP : {UMIX|ITIVAX}!WAYNE-MTS!BRIAN_HOLMES ============= * ******************************************************************* -------------------- Date: Wed, 20 Jul 88 22:25:36 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: HDSENTRY I downloaded HDSENTRY from a bbs here in town and decided to give it a try. (HDSENTRY is suppose to be a h-drive "write-protect" tab...) It came with a DOC, COM and ASM file............. Well, I backed up a directory and then ran the program. I then proceded to DEL *.* and sat back. I got the message WARNING! TRYING TO DELETE ...etc. and said to my self, "Hey, this might do the job." I then did a directory and found no files at ALL. However, after re-booting, the files re-appeared. My question: Why does HDSENTRY do this? Are some stack pointers off or what? I have a copy of the ASM file, but don't know enough about assembly to check on it. Any takers? I'm using an IBM PS/2 M30 w/20M. James Ford JFORD1@UA1VM.BITNET -------------------- *** end of Virus-L issue *** Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25792; Tue, 12 Jun 90 06:27:23 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12892; Tue, 12 Jun 90 06:27:21 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04015; Tue, 12 Jun 90 06:27:03 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09142; 12 Jun 90 11:00 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:03:24 BST Message-Id: <$TGVTCZHTCBQG at UMPA> Subject: Virus-L vol 0 issue #0720 Virus-L Digest Wed, 20 Jul 88, Volume 0 : Issue #0720 Today's Topics simulators Re: VM/CMS viruses Re: VM/CMS viruses How to warn inexperienced users about viruses Re: VM/CMS viruses Write protect hardware Getting a handle on size ** no subject, date = Wed, 20 Jul 88 16:54:47 MEX Re: Write protect hardware HDSENTRY ------------------------------ Date: Wed, 20 Jul 88 02:44:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: simulators > As for VIRSIM, shelve it; it is useless. Virus simulators are viable ways to test virus protection software. If I were testing it, one thing I wouldn't do is use REAL viruses. The majority of virus problems presently are caused by known viruses, such as the BRAIN virus, and mutations therefrom. An appropriate way to test software designed to protect against such attacks is to simulate the attacks with an easily controlled substitute. Protecting against new and innovative viruses would be virtually impossible; nevertheless, we needn't discard the notion of virus simulation for known strains. Virus simulation is really quite close in principle to vaccination. Vaccines are designed to stimulate immune system response to a disease without incurring any real danger to the patient. Virus simulators are a good test for virus-protection software, as they also incur no real danger to the patient (hopefully). Should we stop manufacturing influenza vaccines just because the flu changes every year? I am certainly not endorsing this particular simulator, VIRSIM, as good evidence has been presented that it may be a corporate marketing ruse. There are other simulators out there. I'd say use them in good health. - Jeff -------------------- Date: Wed, 20 Jul 88 12:57:17 SET Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Reichetzeder" Subject: Re: VM/CMS viruses In-Reply-To: Message of Fri, 24 Jun 88 10:07:00 URZ from I don't know if the following scenario has already been addressed. Use of PCs both as PC and Terminal is wildly increasing at our site. More and more products are available to connect to hosts (ECF, FBSS, Kermit, ...). Future plans for our site include LAN, bridges to EtherNet and who knows what else. There will (must) also be some "public" PCs for software-demo, assitance, utilities (e.g. copying diskettes to different format), students, ... REMARK: most of the PCs are "outside" our institution, i.e. other Institutes/ Clinics connecting to the mainframe own those PCs. I fear that there is a "good" chance that (almost) all PCs get infested from the public ones - not necessary by deliberate action. It could come from a user who caught a virus by accident and uses the public PC to copy some diskettes. What if a Trojan connection program (e.g. 3270 emulation) spreads around? It could steal *host* passwords and make use of the LAN to send them to the hacker. It could also be used to infest the host (CMS in our case). Any comments, suggestions, experiences, war stories, ...??? Some specific questions: * is it better if the "public" PCs have *NO harddisk* ? * should we offer host access in "public" PCs or not ? * anyone ever heard of installing a "controlled" PC as a "bait" ? Christian -------------------- Date: Wed, 20 Jul 88 07:38:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: VM/CMS viruses In-Reply-To: Message of Wed, 20 Jul 88 12:57:17 SET from >What if a Trojan connection program (e.g. 3270 emulation) spreads around? > * is it better if the "public" PCs have *NO harddisk* ? > * should we offer host access in "public" PCs or not ? > * anyone ever heard of installing a "controlled" PC as a "bait" ? This sort of thing is certainly a very real problem, primarily at universities which have publically accessible micros. It turns out that these public micros are probably about the best incubating environment that you could imagine for a virus or trojan terminal emulator, etc. Here at Lehigh, we've done the following to try to reduce this risk: 1) All public micros are dual floppy machines; most of which are connected to LANs (Novell on 3COM boards). 2) All boot disks (with Novell software on) are notchless disks, and they contain nothing other than the operating system boot files and the Novell software. 3) All Novell hard disks (on the file servers) are read only, with the exception of a scratch area where users can place temporary files. 4) The scratch areas get cleaned (i.e., erased) periodically by our student employees. 5) Users logging into the LAN are not automatically placed in the scratch directory. (Recall that, in MS-DOS, the current working directory is always searched for executables before the PATH is...) The above methods are probably not infallible (sp?), but what is? Yes, I do think that it is worthwhile to have public micros, but you *HAVE* to take some basic precautions. Offering host access from your public micros should be a must; at least, depending upon how your computing facility is set up. We have very few data terminals any more; almost all mainframe access is via PCs connected to our digital voice/data PBX. As far as setting up a controlled PC as bait; it sounds rather expensive, but what form of bait did you have in mind? Ken Kenneth R. van Wyk From the Devil's Dictionary: User Services Senior Consultant Barometer - an ingenious device Lehigh University Computing Center designed to inform the user what Internet: the weather is. BITNET: -------------------- Date: Wed, 20 Jul 88 12:00:09 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Lois Buwalda Subject: How to warn inexperienced users about viruses Hi! I'm in the process of writing a BITNET help guide for beginning computer users. Since I have to explain to these users how to send and receive files, I would also like to include a section on viruses. Thus, I was wondering what you guys think beginning users should be told about them (i.e., what can be done to minimize the spread of them, etc.). Please keep in mind that these people know very little about computers, so telling them to carefully read through all programs before running them wouldn't help a whole lot. Anything else I can tell them besides the obvious "don't receive any files from people that you don't know"? If you want to reply directly to me, I will summarize the responses over the list later. Thanks! Lois -------------------- Date: Wed, 20 Jul 88 15:26:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Re: VM/CMS viruses In-Reply-To: Message of Wed, 20 Jul 88 12:57:17 SET from >What if a Trojan connection program (e.g. 3270 emulation) spreads around? It >could steal *host* passwords and make use of the LAN to send them to the >hacker. It could also be used to infest the host (CMS in our case). I'm new to this list. I wanted to point out that in regard to corrupted terminal emulators that steal passwords and send them to a "hacker", this probably is not the way it would happen. Such an emulator would have to have the "address" of the "hacker" in order to forward passwords to him, right? That leaves the "hacker" vulnerable to discovery and identification, and most intelligent "hackers" would not take such a risk. On the other hand, the program could store userids and passwords, hidden on disk somewhere, and the "hacker" could later come along and extract this information. Or maybe such an emulator could be set up to respond remotely to the queries of the person who planted it. Steve -------------------- Date: Wed, 20 Jul 88 20:03:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Write protect hardware Is there any way to design code so that a disk write to a write-protected disk will NOT generate a write error message? -------------------- Date: Wed, 20 Jul 88 20:05:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Getting a handle on size I just thought of a purely hypothetical question which may or may not be of value to this discussion. Supposing you were the ideal computer user and initialised your system by checksumming all your files initially followed by regular repeats, and using programs like CHK4BOMB, BOMBSQAD, and/or FSP regularly. You also believe in the value of a well-placed write protect tab and have the latest software protection for your hard drive. You have also made your important files read-only using some attribute changing utility. Along comes virus writer X who wants to destroy your system for perverted kicks. What type of virus could this person design to circumvent all these measures, what is the minimum size it could possibly be, and how much would it slow down processing time (to the detectable level? not at all?)? Obviously almost no one has write protect tabs on their disks all the time. -------------------- Date: Wed, 20 Jul 88 16:54:47 MEX Reply-To: Virus Discussion List Sender: Virus Discussion List From: SISTEMAS@VMTECMEX Hi there: I'm new to the list but I think it's real good. I would like to get a virus simulator to evaluate a protection developed here.I'd like it better if it's an "independent" simulator ( not VIRSIM ). Any suggestions? ( please be specific about it ). Thanks in advance for your valuable help. Arturo Torres. Soft.Eng.Dep. ITESM Mexico City. Mexico. -------------------- Date: Wed, 20 Jul 88 22:39:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Brian Holmes Subject: Re: Write protect hardware In-Reply-To: Your message of Wed 20 Jul 88 20:03:40 EDT It is very easy to tell if a disk is write protected through specific calls to the operating system, so yes you can design code to not issue a write protect error, if a disk has been write protected. ******************************************************************* * Brian Holmes \ / ___ * * Wayne State University \/\/su | | * * Detroit Michigan ____| |____ * * | | | | * * BITNET : BHOLMES@WAYNEST1 | | | | * * INTERNET : Brian_Holmes%WU@UM.CC.UMICH.EDU | | | | * * UUCP : {UMIX|ITIVAX}!WAYNE-MTS!BRIAN_HOLMES ============= * ******************************************************************* -------------------- Date: Wed, 20 Jul 88 22:25:36 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: HDSENTRY I downloaded HDSENTRY from a bbs here in town and decided to give it a try. (HDSENTRY is suppose to be a h-drive "write-protect" tab...) It came with a DOC, COM and ASM file............. Well, I backed up a directory and then ran the program. I then proceded to DEL *.* and sat back. I got the message WARNING! TRYING TO DELETE ...etc. and said to my self, "Hey, this might do the job." I then did a directory and found no files at ALL. However, after re-booting, the files re-appeared. My question: Why does HDSENTRY do this? Are some stack pointers off or what? I have a copy of the ASM file, but don't know enough about assembly to check on it. Any takers? I'm using an IBM PS/2 M30 w/20M. James Ford JFORD1@UA1VM.BITNET -------------------- *** end of Virus-L issue ***