Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25867; Tue, 12 Jun 90 06:44:12 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12968; Tue, 12 Jun 90 06:44:06 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04239; Tue, 12 Jun 90 06:43:44 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09575; 12 Jun 90 11:11 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:06:32 BST Message-Id: <$TGVTCZHTCBRH at UMPA> Subject: Virus-L vol 0 issue #0805 Virus-L Digest Fri, 5 Aug 88, Volume 0 : Issue #0805 Today's Topics RE: Campus virus letter How to convince Re: How to convince Re: How to convince Viruses - The Unspoken Word Re: Viruses - The Unspoken Word Timer TSR's Re: Campus virus letter Timer Ticks Virii and Screen Output Re: Virii and Screen Output Re: How to convince ------------------------------ Date: Fri, 5 Aug 88 07:48:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: RE: Campus virus letter In-Reply-To: Message of Thu, 4 Aug 88 18:18:00 CDT from > I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply >don't >feel that anyone here has that much knowledge and capability. You'd be surprised... The sad fact is that writing a relatively simple virus does not require all that much knowledge and/or capability. The average CS student (particularly one who's done some 8088) could write a PC virus in very little time. All it takes is the inclination to do so. I'm sure that none of your university's students are ever disgruntled for one reason or another...? >realize >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). Lehigh has about 6000 (4000 undergrad, 2000 grad)... >What I do fear is the HIGH >probability >that these students have been in contact with some of the other students at >other universities... That's definitely a real threat, but don't write off an inside job. >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious >intent, >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. Sounds a little like terror tactics, imho. Fred Cohen's definition of a virus goes something like - A program which attaches itself to another program and, upon interpretation, copies (a possibly evolved version of) itself to other program(s). (This isn't verbatim, but the jist of it is pretty much the same...) Perhaps if you start by just defining a virus for what it is, and point out that a virus can also carry a Trojan horse which can be triggered to be activated sometime in the future. It's probably not a good idea to hype up the idea of a virus; just treat it as a program like any other program. My opinion... Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Fri, 5 Aug 88 09:30:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Russell Nelson Subject: How to convince I'm Clarkson's micro wizard. If we get hit with a virus, everyone will turn to me to fix it. I'm the recognized expert. However, when I cry "virus coming", no one believes me. They all believe in the ostrich theory of virus prevention--don't talk about it and the students won't write/import them. Fortunately, they do think that people should be warned to reboot before using a public machine. Is there any validity to their point or *should* we tell the students about viruses? -russ -------------------- Date: Fri, 5 Aug 88 10:20:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from >Is there any validity to their point or *should* we tell the students >about viruses? I think that our case, here at Lehigh, shoots their "ostrich theory" down the tubes; we didn't tell our students about viruses, and we did get infected by a virus. Prior to the attack, there was little in the way of virus education, with the notable exception of Dr. Cohen's course in Computer Security. It's possible that one of his students learned about viruses from his course...but that is largely a moot point now with all of the publicity that viruses have received in the last 8 months or so. My feeling is that *not* telling them about viruses, at this point, is the danger; they've probably already heard about them, and may even feel like experimenting now. The reason that it is dangerous to not tell them is that they (currently) have no way of knowing what dangers exist other than what they may have read in the press... Tell/warn them about viruses and they might a) be more careful in sharing programs, b) make safe backups to protect themselves, c) try to write their own. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Fri, 5 Aug 88 10:09:17 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Naama Zahavi-Ely Subject: Re: How to convince In-Reply-To: Message of Fri, 5 Aug 88 09:30:16 EDT from I am not sure that detailed warnings about viruses are necessary (there are so many rumors about them anyway). I do think one should warn users to take the following precautions: 1. Use a write-protected system disk whenever possible. 2. When you start using a public machine, TURN IT OFF first, then turn it on with your system disk in drive A. Just booting (warm booting) would not be enough -- we had a virus that spread itself that way. Naama Zahavi-Ely Yale University -------------------- Date: Fri, 5 Aug 88 12:47:19 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Viruses - The Unspoken Word Russ, I think we've had quite a few of these arguments before about teaching fviruses. I don't think it was the oworldn't (Again please excuse my typing, this modem program hates my backspace), I don't think it wwas the swiftest idea in the world to publicly announce how to defeat systems, but then didn't popular Mechanics tell us how to create an atomic bomb? Ken, I hate to correct you, but Fred taugh t a feull course on computer security, he went over viruses in detail and he taught quite a few seminars on the theory, if I remembr correctly. He also ha gave out copies of his theisis on viruses and asked several students to write viruses for him including John Hunt I f memory serves. He also wenet over his articles and they were posted on bulletin boards. To me that is teaching viruses, and I honestly think that because he tautght them, we received one. Someone tells me that he weven went over command com viruses as an example one time. Now, Fred tells us that we are lucky he discovered viruses before someone else did. He might be right. But the people from University of California and people from the AI systems here at Lehigh tell me that all he did was create waves and destory machines. Whether or not he himself did damage, 3 differenct colleges tell me hie did. Is this proliferation of viruses do to his talks and papers? Or would it have eventually come anyway? Teh flipside is that many people calim viruses have been with us since 1972, but they were small and didn't hit very hard because all systems were unconnected and in the hands of computer experts, where now we have large noetworks and eveybody has a computer ]and doesn't know much abou tit. At this point itn time, we've had afar too many problems to try to quiet the subject. If students don't hear it forom you, they will hear it elsewhere. I think it ifs a good idea to wram (arn ... WARN) people of the potential problems. (That's it, I'm going out and getting a new modem program. Or a copy of Kermit would do it). Loren -------------------- Date: Fri, 5 Aug 88 14:36:17 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Viruses - The Unspoken Word In-Reply-To: Message of Fri, 5 Aug 88 12:47:19 EDT from >Ken, I hate to correct you, but Fred taugh t a feull course >... >bulletin boards. True. I should have been more specific, and I did say that Dr. Cohen's course was a notable exception. What I meant was that we, the Computing Center, didn't educate our computer users, as a whole, on viruses. Yes, many students took Dr. Cohen's course, and they should've been knowledgable on viruses, but I did mean the computing community, as a whole. As for whether teaching about viruses catalyzes the problem or not, I still feel that it largely a moot point since the cat *is* out of the bag, so to speak. The best that we can do at this point is to warn our users of the potential for disaster. Ken Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Fri, 5 Aug 88 13:27:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Timer TSR's >You cannot implement this idea in software. Loren - Its actually not as hard as I made it sound(?). The 8253 timer chip on the PC (8254 on the AT) invokes IRQ 8 18.2 times per second by default. This interrupt can be trapped by the TSR. 18.2 is not etched in silicon, channel 0 of this chip can be modified for faster intervals. This technique allows a simple method for multi-tasking PC applications and can be employed to implement the strategy I discussed. >The idea you present makes the microcomputer unusable unless it >has multiple motherchips. This occurs transparently to any application currently executing in the PC. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* -------------------- Date: Fri, 5 Aug 88 15:36:01 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Campus virus letter In-Reply-To: Message from "John Stewart" of Aug 4, 88 at 6:18 pm > >To the group: (especially Len Levine) > > I reviewed your virus letter that you put on the list last Wednesday, >and I found it to be very useful. I am in the process of researching, and >preparing much the same type of paper for our university. I do have a couple o f >suggestions that you may find useful, and then again you may not.... > I agree with the earlier posting (I forgot who it was), which criticized >the grave tone of a good bit of the paper. I don't know about your university, >but I don't feel that we are in that deep of a threat of our own students >inventing such beastly programs. I say this because I myself am a student, and >I know the majority of the Computer Science types on the campus. I simply don' t >feel that anyone here has that much knowledge and capability. (You must realiz e >that I attend a smaller university than most... we average 13,000 students in >the Fall over the past couple of years). What I do fear is the HIGH probabilit y >that these students have been in contact with some of the other students at >other universities and will, either on accident or on purpose, return with some >sort of Virus program in their software. > You mentioned in your posting that 'your audience will be faculty and staf f >who are reasonable, but do not understand computers or computering'. I feel >that this is a good estimate of my intentions for my audience. With this in >mind I feel that the material needs to be explained a little better. Not even >ALL of our Computer Science majors know what a Virus is, I surely don't expect >a chemistry professor to deduce my meaning of a VIRUS in the context of the >article. With this in mind I have decided to begin my article with a definitio n >or two, positively to include that of a VIRUS. THIS IS WHERE I WOULD LIKE SOME >HELP FROM 'THE GROUP'. Below I will _attempt_ to derive some sort of >definition, and would greatly appreciate any and all criticism and suggestions! > >Computer Virus - A program which poisons ones computer software. A program >which is usually capable of attaching itself to other programs upon the >execution of any number of DOS commands. Usually written with malicious intent , >capable of performing any task from displaying a simple message, to destroying >hardware AND software. These programs can be made to execute their mailicous >acts upon any pre-determined sequence of events, such as a certain keystroke or >at a specified date and time. These programs usually are not visible by the >simple DOS "DIR" command, making them 'invisible' to the unsuspecting user. > >..well? Please, I make no attempt at declaring myself to be a VIRUS expert, or >even extensively knowledgeable of them. I merely do the best I can. I would >appreciate any hints, revisions, advice, etc. > > Finally, thank you Len for providing the article to base our defenses upon. I received several letters like this, and will rewrite the first sections of the memo to reflect this. Thanks. I will send the final copy to this net and expect that people will steal freely from it. thanks for the help. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Fri, 5 Aug 88 18:11:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Art Larky " Subject: Timer Ticks >>You cannot implement this idea in software. >Loren - Its actually not as hard as I made it sound(?). The 8253 > timer chip on the PC (8254 on the AT) invokes IRQ 8 > 18.2 times per second by default. This interrupt can be > trapped by the TSR. 18.2 is not etched in silicon, channel > 0 of this chip can be modified for faster intervals. > This technique allows a simple method for multi-tasking > PC applications and can be employed to implement the strategy > I discussed. It's not all that easy. DOS (and BIOS) are not re-entrant, so you would not be able to use any DOS or BIOS calls in your program since you would not know who was doing what where when you got the tick. Of course, like all other TSR's you'd have contention problems with the timer tick. What about all the other people (including DOS) who expect that tick to be at 18.2? Art Larky CSEE Dept Lehigh Univ BBS: (215) 974-4068 >>The idea you present makes the microcomputer unusable unless it >>has multiple motherchips. > This occurs transparently to any application currently > executing in the PC. > Kent Cearley | CEARLEY_K@COLORADO.BITNET | -------------------- Date: Fri, 5 Aug 88 21:22:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Virii and Screen Output Given the open memory of DOS and the fact that (it seems) any program can take over the memory space of any other program, and also the fact that ROM BIOS calls can be used to create screen output, is it possible to create a virus which, after insertion into a program is undetectable by a program like LIST.COM or a sector editor? In other words, once the virus knows that a program is doing a disk read of the section it's hiding in, can this hypothetical virus then fool the system into thinking that the legitimate code is still in place? I think that the capability to examine sectors on a disk is a big help in combatting these things and wonder whether a clever virus could mask its existence in this fashion. -------------------- Date: Fri, 5 Aug 88 23:29:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Virii and Screen Output In-Reply-To: Message of 5 Aug 88 21:22 EDT from "David.Slonosky%QUEENSU.CA at CUNYVM.CUNY.EDU" >....is it possible to create a virus which, after insertion into a program is >undetectable by a program like LIST.COM or a sector editor? The short, obvious and trivial answer to your question is that if you can conceive it, and if it could be done by any other program, then it can be done by a virus. Bill -------------------- Date: Fri, 5 Aug 88 23:44:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: How to convince In-Reply-To: Message of 5 Aug 88 09:30 EDT from "Russell Nelson" >Is there any validity to their point or *should* we tell the students >about viruses? I do not know, but I do think that it is a good idea to teach them good hygiene. We teach small children to wash their hands long before they know about disease or how it is spread. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 -------------------- *** end of Virus-L issue ***