Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25881; Tue, 12 Jun 90 06:47:13 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA12979; Tue, 12 Jun 90 06:47:10 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04260; Tue, 12 Jun 90 06:46:49 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09633; 12 Jun 90 11:13 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:06:56 BST Message-Id: <$TGVTCZHTCBRR at UMPA> Subject: Virus-L vol 0 issue #0808 Virus-L Digest Mon, 8 Aug 88, Volume 0 : Issue #0808 Today's Topics Re: Virii and Screen Output Forwarded info on U.S. virus legislation Washing your hands Flushot Plus 1.4 Last Reply Re: Washing your hands re: Campus Virus Letter Hiding viruses ------------------------------ Date: Mon, 8 Aug 88 00:59:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: Re: Virii and Screen Output In-Reply-To: Your message of Fri, 5 Aug 88 21:22:18 EDT David Slonosky's idea of a virus concealing itself is quite interesting, but there is a reason I don't think it could work. To really hide, the virus would have to remember the code it was overwriting. Otherwise, finding a chunk of $00s or No-ops in the middle of your code would be pretty suspicious (unless you're looking at COMMAND.COM :-) Anyway, while we all know of the CS1001 problem "write a program that prints itself", this is not that simple. It can't easily print (what's supposed to be) itself since it has no place to put it. It could of course find some spare sectors on the disk, but how is it going to keep from overwriting info kept by another copy of itself? It would have to keep its own directory. How can it prevent DOS from using its sectors (which are free, as far as DOS knows)? It would have to infect DOS. Etc. Etc. Etc. The point is, this virus rapidly grows so complex that it couldn't hide. The original copy would be huge, and it would have a significant effect on the system. Of course, this brings up the nightmareish possibility of a program like this running on a mainframe with enough power that its overhead wouldn't be noticed (or it could doctor CPU usage tables while it was at it...). The only protection against this is the fact that the innards of the OS are protected on mainframes. However, if a superuser (or whatever) was dumb enough to run the necessary trojan... Yuck. -------------------- Date: Mon, 8 Aug 88 09:12:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Forwarded info on U.S. virus legislation For everyone who's been interested in computer virus legislation, here's a proposed U.S. bill on just that. This was sent in by Joseph Beckman (thank you!). Ken From: "Joseph M. Beckman" Subject: Virus Bill "Computer Virus Eradication Act of 1988" (a) Whoever knowingly -- (1) inserts into a program for a computer information or commands, knowing or having reason to believe that such information or commands will cause loss to users of a computer on which such program is run or to those who rely on information processed on such computer; and (2) provides such program to others in circumstances in which those others do not know of the insertion or its effects; or attempts to do so, shall, if any of such conduct affects interstate or foreign commerce, be fined under this title or imprisoned not more than 10 years, or both. Entered July 14th 1988 by Mr. Herger (congressman from CA) for himself and Mr. Carr; referred to Committee on the Judiciary, to amend title 18. Joseph Kenneth R. van Wyk Milo: We're out of helium for the User Services Senior Consultant balloons! Who's been suckin' Lehigh University Computing Center the helium?! Internet: Gang: Not me! Not me! ... BITNET: Opus: Eeeeeep! Eeeeeep! -------------------- Date: Mon, 8 Aug 88 09:13:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: the Preserver Subject: Washing your hands Someone recently advocated the teaching of "viral hygiene" to joe average computer user while keeping "virus writing" to the experts ( a poor paraphrase, but it gets the point across). This is the wrong attitude. Viruses are a part of the current computing environment, so are worms, trojans, etc... Educating users in prevention is necessary to stem the amount of damage done by these destructive programs. However, if the future computing environments are going to be better, computer diseases 101 had best be taught. The field of computing is growing at an incredible rate and in this growth, nowhere do we see a system completely foolproof. Why not? Because the system designers didnt know about the various kinds of computer diseases. The CIS students of today will be tommorows programmers, educating them now about how virii work, detection schemes, security controls and pitfalls, will in the long run make virus writing something undertaken only by a few experts, instead of the situation we have now where combatting viruses is undertaken by only a few experts and every joe hacker on the street can create a virus for the expert virus hunters to track down. Les Hill vishnu@pine.circa.ufl.edu vishnu@ufpine -------------------- Date: Mon, 8 Aug 88 10:44:09 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Flushot Plus 1.4 I have not been subscribing to the Virus List lately, but since I had a question concerning Ross Greenberg's Flushot Plus 1.4, I figured someone here might have an answer for me. Please carbon replies to me. I have an AT-clone and have always tried the Flushot programs (and as I figured out by losing my CMOS memory) - they did me no good. Anyway, I've been using version 1.4 (which was released July 13, 1988) and haven't had any problems (fatal) until today. While using Procomm Plus Test Drive v.1.1 my computer rebooted without me touching any keys. I wondered what was going on, and it rebooted several times. The only change in my system is that now I have FSP14 running. Has anyone else experienced similar problems? (I am unsure that FSP is the culprit, but have eliminated all other possibilities.) One other question that I have concerns my CMOS memory. I have FSP checking my CMOS, and it doesn't erase it like the last version, but WHY when I boot off my hard disk and try to read a floppy does it warn me that "CMOS IS BEING WRITTEN TO"??? Should reading a floppy disk have any effect on CMOS, or is this another annoying bug in Ross's program? Please forward any comments to DAB3@LEHIGH. Thank you, David Bader -------------------- Date: Mon, 8 Aug 88 10:08:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: CEARLEY_K%wizard@VAXF.COLORADO.EDU Subject: Last Reply Art, just a couple of points... > It's not all that easy. DOS (and BIOS) are not re-entrant, so you >would not be able to use any DOS or BIOS calls in your program since >you would not know who was doing what where when you got the tick. >Of course, like all other TSR's you'd have contention problems with >the timer tick. What about all the other people (including DOS) >who expect that tick to be at 18.2? BIOS is, in fact, reentrant. The TSR would not need to rely on any of these services, however, it would merely check interrupt vectors in memory for modifications. You are right about the clock ticks; if you reset the value time might get a little twisted, however, I believe you can also employ Channel 2, normally used for the speaker, but maybe 18.2 would be the resolution you are stuck with. This tactic was really another approach to intercepting a virus which relies on obtaining control from system interrupts. Its utility would be its function in a more comprehensive strategy. *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | "All truth contains its own | | Campus Box 50 | contradiction" | | Boulder, CO 80309 | | | | | *-----------------------------------------------------------------------* -------------------- Date: Mon, 8 Aug 88 12:53:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Christian J. Haller" Subject: Re: Washing your hands In reply to Les Hill (the Preserver ): >Someone recently advocated the teaching of "viral hygiene" to joe average >computer user while keeping "virus writing" to the experts ( a poor paraphrase, >but it gets the point across). This is the wrong attitude. I think it's the most practical approach we can advocate, in general. > Viruses are a >part of the current computing environment, so are worms, trojans, etc... Only if you expose yourself to them. If you don't try out stuff from uncertain origins, they are not part of YOUR computing environment. >Educating users in prevention is necessary to stem the amount of damage done >by these destructive programs. However, if the future computing environments >are going to be better, computer diseases 101 had best be taught. But not every user has to take it! Give us a break. How much does even a Medical College graduate know about the life cycle of Rift Valley Fever? How much does the average person need to know about how colds operate? Sure, thay should know what viruses are, and how you can't treat a virus with antibiotics, but they shouldn't have to be taught in detail about each of the 127 or more diseases we call colds. It would be useless information to the average person, and a waste of time. Similarly with computer viruses and Trojan Horses, etc.: most users should be aware that such things exist, and know enough about how they work to have a chance of recognizing one when they see its tracks. They should learn some simple rules of hygiene, like using write protect tabs and using a floppy-based system to fool with some RUNME.EXE they just downloaded, if they must try such things at all. Anyone who likes to try out new stuff, to be a pioneer, should know more, like how to install and use some virus detection software. Only a few people should have to learn the nitty, gritty details of how nasty programs accomplish their nefarious tasks, and how to write countering programs. THE REST OF US HAVE BETTER THINGS TO DO! Don't get me wrong. I'm fawningly grateful to you good guys on this list who have chosen (?) to get involved deeply in the struggle. But the computer work of the world is not going to slow down much because of viruses. Susceptible machines, networks, and personal habits will gradually be replaced by safer ones, as a direct result of temporarily "successful" attacks on our software integrity. The average computer user can almost go right on doing what she's doing now. > The field >of computing is growing at an incredible rate and in this growth, nowhere do >we see a system completely foolproof. Why not? Because the system designers >didnt know about the various kinds of computer diseases. Now that they know, I still don't see any completely foolproof systems. > The CIS students >of today will be tommorows programmers, educating them now about how virii >work, detection schemes, security controls and pitfalls, will in the long >run make virus writing something undertaken only by a few experts, instead >of the situation we have now where combatting viruses is undertaken by only >a few experts and every joe hacker on the street can create a virus for >the expert virus hunters to track down. Let's not confuse the average user with either CIS students or system designers. CIS students should learn what you say they should learn, yes, but not more than that. They should also know that it is relatively easy to write a virus, that it is a rotten, unethical thing to do, that it can get you ten years in jail and a ruined financial life, that most viruses can be detected and traced back to their origins if some Sherlock gets on the trail in time. Those who like the idea of being Sherlocks can be encouraged to learn more if they want. Most of us think it more fun and challenge to be on this side of the contest, anyway. Average users should hardly have to learn or do anything but run the one to three applications they want to use. They have work to do. Most of them have a friend who knows about systems and software, whom they trust to let them know when something useful comes along. This is the way things are, and should be. Those of you closely involved with this list--I love you, but don't overstate the need for everyone to join in your enthusiasm. Virus etc. outbreaks have not affected the average user yet, and may not ever. (Thanks to you!) --Chris Haller -------------------- Date: Mon, 8 Aug 88 17:56:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: John Stewart Subject: re: Campus Virus Letter I recently posted a message to the list in reply to Len Levine's paper on Viruses. In it I attempted to define a virus. I received several replies, but then we had a problem at our site causing all our incoming Network mail to be refused, and outgoing mail to be deleted. If anyone attempted to contact me during the period of 08/04/88 and 08/08/88 your mail was lost. I would appreciate any re-transmittal of any replies. Thanks for your understanding! +-------------------------------------------------------------------+ % John Stewart % % Technical/Academic Support Programmer Office (409) 568-1020 % % Stephen F. Austin State University Modem (409) 568-1334 % % Nacogdoches, Tx 75962 % +-------------------------------------------------------------------+ -------------------- Date: Mon, 8 Aug 88 18:27:18 PLT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Andrew Vaught <29284843@WSUVM1> Subject: Hiding viruses The solution is simple. Just print data from another sector, or, possibly a small random-number generator. Binary files look all the same.... Does anyone seriously believe that a virus writer is going to bother with such an esoteric scheme to hide their code? We haven't seen any so far. The reason is that your joe blow computer user just doesn't look at his boot sectors very often, and the only reason anyone else would is if strange things started happening. Viruses have to be small to avoid being obvious. If COMMAND.COM suddenly grows by 30k due to all of the CRC foolers and other wild schemes, even joe blow may notice it. On another tack, anyone have any ideas on the possible future of viruses? The other I got ahold of a book called ``Advanced 80386 Programming'' (sorry, author's name is gone). At very least, Intel has designed one heck of a complicated microprocessor. Since the beast is designed specifically for multi-tasking, there are all kinds of wierd things like ``call-gates'' that allow use of privileged subroutines by low-privilege processes, without giving privileges. I suppose a virus could still call the dos's ``FORMAT HARD DISK'' command, but it seems kind of stupid to provide such an easily accessible command in the first place. Andy Vaught <29284843%WSUVM1.bitnet@cunyvm.cuny.edu> ``I'm on the case, can't be fooled, any objection is overruled.'' -------------------- *** end of Virus-L issue ***