Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25861; Tue, 12 Jun 90 06:41:04 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12964; Tue, 12 Jun 90 06:41:00 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04229; Tue, 12 Jun 90 06:40:33 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09516; 12 Jun 90 11:10 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:05:56 BST Message-Id: <$TGVTCZHTCBRD at UMPA> Subject: Virus-L vol 0 issue #0802 Virus-L Digest Tue, 2 Aug 88, Volume 0 : Issue #0802 Today's Topics ERIC NEWHOUSE'S BITNET ADDRESS ? ** no subject, date = Tue, 2 Aug 88 01:31:18 EDT ** no subject, date = Tue, 2 Aug 88 01:44:02 EDT Re: Trapping Direct Disk Write Calls ** no subject, date = Tue, 2 Aug 88 13:07:50 EDT Trapping Disk Calls forwarded comments on VIRSIM program Forwarded legal comments from J.D. Abolins Virus/Computer Security Conference results Conference Notes ------------------------------ Date: Tue, 2 Aug 88 09:08:00 U Reply-To: Virus Discussion List Sender: Virus Discussion List From: KAICHEON@ITIVAX Subject: ERIC NEWHOUSE'S BITNET ADDRESS ? Does anybody know how can someone contact Eric Newhouse of DIRTY DOZEN over bitnet? Thanks in advance! -------------------- Date: Tue, 2 Aug 88 01:31:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University A few days ago, I mentioned the possibility of having a conference for the group of us at some time in the future. We have had about forty people say they were interested in such a thing from several areas of the country. We have a few people who wish to discuss various security topics and so on. I believe that if we set a date and place for such a conference, we will get quite a few more responses. I have some comments on the idea: 1) I would like to open it to the press. We could bill it as a big meeting of the minds on virus-theory and how we might be able to stop these destructive programs. 2) I would be happy to set it up, would anyone else like to volunteer to help? 3) I'd like some ideas on how long such a conference would last ... the problem is that some people may end up coming from great distances for it. 4) I prefer to hold such a meeting in the Lehigh Valley area (Allentown/Bethlehem Pa) which is less than an hour from Philadelphia, less than 2 hours from New York City, 5 hours from Boston, and 5 from Washington DC. Its a centralized location with quite a bit of access. If there are any great reservations about this area, we can consider something else. We may be able to get a group together on the East Coast and one together a bit later on the West Coast. If we do this, I'd like to attend both, and I wouldn't mind organizing both. 5) Since we did have some enthusiastic replies to the idea, I believe we can get a decent group together to work on the theories of computer viruses, protection schemes, future computer security and so on. Comments? Loren Keim -------------------- Date: Tue, 2 Aug 88 01:44:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Alright, to answer further questions about a virus seminar: 1) Will it cost money? I don't know yet, we're just considering it. I imagine that if we want to make up a booklet for the meeting, we might ask for a donation, or perhaps some of the colleges and companies out there might donate a small amount of money with the promise of us putting an add for them in the package. We may also need to rent some conference rooms, although I think I can get some. And if the group is small (although I doubt it will be) we might hold a dinner of some sort. 2) When will it be? Again, we're just discussing the idea. Unfortunately, for college professors and associates, school is starting shortly and I doubt we'll get something in before it starts, but I don't think we'll have a problem if its early in the semester. What would you think of the second weekend in September? Earlier, later? 3) How far is the Lehigh Valley from Trenton, Princeton, and Pittsburg. Ugh! Its on the map. The Allentown area is about an hour and a quarter from Trenton if memory serves, I have't been there since the Trenton Computer Faire. I have't the slightest idea how far it is from Trenton, I haven't been there in a while. But for the New Jersey people, its an hour from Morristown, 3 hours from Atlantic City (max, some people make it in less), and an hour and a quarter to a half from Camden. You can figure out the rest. Its about 4 1/2 - 6 hours from Pittsburg. I've gotten all sorts of conflicting times on that. It takes me 4 1/2 hours, you slow drivers may take a bit longer. Its an hour and a half from Harrisburg, an hour and a half from Lancaster. People who are farther than Pittsburg may want to fly. I think its a 15 minute hop from Chicago for only 35 bucks. And no, Karen, we are not a "hick town". The Valley has 700,000 people in it. Granted, we're not New York City, but we hold our own in terms of metropolitan areas. Incidently, we have 3 sky scrapers (wow!). We're also home to AT&T research (Bell Labs and several other AT&T plants), Air Products, Bethlehem Steel, Mack Trucks and Union Pacific. Its a very nice area to live. Loren -------------------- Date: Tue, 2 Aug 88 08:38:22 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Trapping Direct Disk Write Calls In-Reply-To: Message from "Chris Bracy" of Jul 31, 88 at 12:32 (midnight) >GARY SAMEK writes: >> When a virus gets into command.com, it is very difficult to stop it from >>spreading if it is well written. >I dont see why a virus in command.com is any harder to trap than a virus >in any other program. Command.com is just a .com file like any other .com >file except in purpose. Its structure is similar, and (theoretically) only >makes its calls thru dos. The Int 21 handlers are NOT part of command.com. No casual test of the date of creation, or even the file size will trap the inclusion of a virus into command.com. The 4000 byte space left at the end of that program allows for room to enter a sizable virus. Even my favorite scheme of checking the CRC can easily be defeated if the virus writer knows what CRC formula I use by the simple addition of 2 bytes of non-executable code to fix the CRC and return it to its original value. Even if there were not room for a sizable virus, the scheme (already used) of putting a program onto disk and marking that disk area as bad in the FAT, and then linking that area into your code can would afford all of the space needed. Watching command.com and other files that matter with a CRC formula that is different from that others use is one of the best ways I know to detect infection (albeit after it happens). + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 2 Aug 88 13:07:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Alright, alright, The people from the West Coast say there are more people working on viruses on that coast, so we should start there. The people from the East Coast agree that it should be here. The people from the middle states tell us that we should have a nationally centralized location. Eep. I didn't mean to start a war. I'd like people who are interested in such a conference to reply to me as to where they wouldn't mind traveling for the conference. Would they mind coming to the East Coast, would they mind meeting somewhere in the middle states, and so on. Reply to LKK0@LEHIGH.Bitnet (excuse my last letter which incorrectly stated where I was). Loren -------------------- Date: Tue, 2 Aug 88 15:28:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Trapping Disk Calls You won't catch my virus by watching for DOS calls, because I won't use them. You won't catch my virus by watching for BIOS calls, because I won't use them. Since every one knows where DOS and BIOS keep the information about your hard disk and everyone knows what port addresses do what on a PC compatible, I'll just access the hardware directly. It may be more trouble, but its also a sure-fire way to eat your FAT tables and/or insert myself into any program I wish. Face it - the IBM 'open architecture' was a great idea for clone manufacturers; but now everyone uses the same BIOS data areas and the same port addresses in the interests of compatibility, so there is no mystery about how to get your hands on the hardware. Command.com is a great place to hide a virus, not only because it has room for it, but also because it gets executed immediately after your autoexec, so your chances of catching the virus depend upon what you do in autoexec. Also, everyone has command.com and everyone uses it all the time, so it has lots of chances of spreading an infection. The AIDS slogan is safe sex or no sex. Apply the same or greater caution to your computer! Art -------------------- Date: Tue, 2 Aug 88 15:37:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: forwarded comments on VIRSIM program Here are some comments on the VIRSIM package, from Jim Crooks: Ken From: Jim Crooks Subject: RE: VIRSIM In Reply To: message from of 7-20-88, (Andrew Vaught <29284843@wsuvm1>) In some ways, a program like VIRSIM is a good idea *IF* it is well written and *IF* it is updated frequently to reflect the leading edge of virology. At least it would provide a benchmark against which we could measure the masses of anti-viral software that have been appearing lately. If one can incorporate all known threats in the test, then at least we will know what protection we are buying (or not buying) with a package. Since a recycled known virus can cause as much grief as new one if it finds a loophole in your defenses. The risks are as follows: - new methods of attack will be developed to circumvent current defense mechanisms - as has been stated previously, a simulator will give a false sense of security - a well documented simulator will unfortunately provide a source of viral techniques for the bad guys. The only way to do a better job of anti-virus work is to actively research it - but then the fellow who taught VIRUS-101 caught a lot of flack didn't he, so it would be a fairly dicey process to say the least... Can someone send me the address of NBBS or Interpath - tnx. James W. Crooks Member, Advanced Technology Application Staff Telebox(DIALCOM): 12:GVT331 ATTN:((JIM)) BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Tue, 2 Aug 88 15:39:27 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded legal comments from J.D. Abolins I received this file which was sent to VIRUS-L from OJA@NCCIBM1 : [Note J.D. - you can't send files to the list, only mail. Ken] >Robert, I've been looking for laws concerning viruses for >some time, and havn't found any. I have located three laws >which I will summarize when I have them in front of me. >They basically state that it is illegal to enter a computer >system that is not their own or that they don't rightly >have access to because its a form of breaking an enterring >... fi their computer enters it, they are responsible, or >if some program they wrote enters it, they are responsible. >It is also illegal to read other people 's mail on the >system, even if it is your own companies system. And >its illegal to change anything on a system which you were >not specidfically asked to change by the user, fi I remember >correctly. The three legal points are pretty the basic tools for dealing with computer crime. Here's the listing of the legal action from what I have seen-- 1) Breaking and Entering variants, including illegal systems access 2) Fraud. This is evident for computer acts which produce a financial benefit to the perpretrator. (This has not been seen in any viruses to date.) In the case of the British Telecomm hackers, a fraud law was used to bring the fellows to trial for hacking into Prince Charles's e-mail. 3) Sabotage and its variants. (If the malicious program was shown to be deliberately used against am installation.) 4) Electronic Communications Privacy Act (ECPA) regarding e-mail privacy. (I'll send up a rough text and analysis soon.) 5) The various state laws regarding computers. Computer law is in its infancy. Most attempts to prosecute are based upon existing laws. >Also, 250,000 outbreaks is a bit high. If therey are counting number >of disks infected, that might be a little low. We had around 600 disk >infected at Lehigh alone with the first outbreak of a virus here. >Figures of the Israeli virus put it at around 18000 copies found (althou >that number couldn't be backed up by anyone.) About the counts, it does depend upon what was counted - installations, computers, disks, potentially affected disks, people affected by the affected disks, etc. Also, about the counts of the types of viruses, there is a major problem- lack of nomeclature (naming) conventions. This is compunded by the rapid stream of virus reports. Many times, the reports may change the name of case and future article writers get the impression that it is a new case. This happened with the Hebrew University case; it has been called "Hebrew University virus", "Israeli virus", "PLO virus", "Friday the 13th virus", etc. From writing articles about viruses and other things, I have seen how easy it easy for jumbling of facts, especially if only secondary and tertiary sources are used. Finally, the fact that the viruses are codes that are embedded in files complicate identification. (This makes the "Dirty Dozen listing" approach more difficult. Rather than giving a common file name of the malicious program (which is helpful for trojan horses, until someone changes the filename), the viruses need to be described by mode of transmission, attack, symptoms, etc. J. D. Abolins Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Tue, 2 Aug 88 22:16:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus/Computer Security Conference results Wow! We've have quite a few comments, questions and preferences come in today. I'll give you a quick run down and try to answer some of the overlapping questions. We've had 18 votes for the East Coast, 2 votes for the middle states, 3 people who said they didn't care because they'd have to fly over the ocean to get here anyway and NO votes for the West Coast (surprise!). I would like you to keep sending me mail and suggestions, we'll see how the majority of people feel, but we'll need to know quickly if we want to set this up. Most people believe we should have a weekend-long conference, rather than a day because some are willing to fly in for it and because we have so many people interested in the subject. I agree. I'd like to thank Craig Pepmiller for his suggestions, and his "sample weekend" which outlays a set of possible conferences. I also that all the people who had suggestions for specific people to speak. The names to come up the most were: Several people for Y. Radai, several people for Fred Cohen, several people for me (honest, I didn't say a thing!), and one person who asked for a member of Panda systems to speak. As well we had two people ask if we could get Robert Slade to bring his material on viruses down, 3 people who wanted to know where they could get copies of Fred Cohen's booklets (I have some material, but not all), and if they could get copies of my book (It ISN'T published yet!) We had questions about hotel accomodations and expenses. I think we will have to end up charging something so we can have food at the conference, coffee, donuts, and so on. It will be a non-profit conference however. Also, for overnight guests, we'll need hotel accomodations. If any companies are interested in donations??? We were asked whether or not this would be an "official" conference, so it could be university sponsored by different universities. Yes, I don't see a problem with that. I also see no problem with sending personal invitations to help get colleges to pay for certain people's trips to the conference. Craig also suggested that for people who cannot get to the conference, have it video taped. I like that idea. If anyone has suggestions for topics, please send them. As well, several people suggested that we have the speeches published and sent out to whoever wants them and can't make it. I see no problem with that, but we'll probably have to charge a small fee for it. I was incorrect on my time from Chicago to ABE airport. It is not 15 minutes, it is more like an hour. Prices are still in question however, I will check them. Prof. Larky also points out that ABE is serviced by United, USAir, Northwest, Eastern and several regional airports. For people who asked whether the Lehigh Valley has any computer significance... BITE YOUR TONGUE! Charles Brown (anyone remember him) was out here a while back to give a speech. He told us that the Lehigh Valley was the original, the one and ONLY silicon valley. The Valley, he said, is where the computer was conceived and where the microchip was first invented. We also have Bell Labs here, AT&T solid state labs, AT&T, Bell Atlantic, a small IBM outpost, Unisys, Digital servicing, Lehigh University, Homer Research Labs, and quite a few other little places. (We don't have HP or Epson out here, and that has always depressed me.) That is all for now, I'll have more as it developes. Keep the comments coming in, and I will set up a definitive date, a definite place and schedule it. Again, we had one volunteer to work on the conference and three others that hinted at it. Anyone interested on helping? Thank you, Loren Keim Also, for the person who mentioned that I don't have headers and that makes life difficult, I am sorry, I'll try to remember to put headers on from now on. We are using IBM equipment though, so instead of Digital equipment asking for a header, we must physically tab to the header field and insert one (Horrors, a machine that doesn't do it for me!) -------------------- Date: Tue, 2 Aug 88 22:26:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Notes Another quick note: Some questions came up from various people that I neglected to answer. WHEN would we have such a conference. If we hold it too soon, people won't have time to plan it into their schedules, but if we have it this year yet and after mid October, we're running the risk of hitting Prof's midterms and finals. I'm leaning towards the second weekend in October. I'd also like to know if enough people would be interested in attending. We've had around 60 replies, but that doesn't mean they are definitely coming. I'd like to know who is seriously interested in such a conference so we can plan ahead. I don't see a serious problem because we are said to have around 6000 people on this listserv (this is an unsupported number because this is a closed listserv and we cannot ask it who is on or how many). We've also gotten some final comments asking "Oh Where Oh Where is David Slade?" Loren Keim -------------------- *** end of Virus-L issue ***