Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25932; Tue, 12 Jun 90 06:55:51 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13021; Tue, 12 Jun 90 06:55:48 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04346; Tue, 12 Jun 90 06:55:38 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa10573; 12 Jun 90 11:32 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:07:52 BST Message-Id: <$TGVTCZHTCBTZ at UMPA> Subject: Virus-L vol 0 issue #0811 Virus-L Digest Thu, 11 Aug 88, Volume 0 : Issue #0811 Today's Topics Question about virus attacks Mainframe Viruses Mainframe Viruses and whatnot Mainframe problems Mainframe Woe's continues Mainframe Question about mainframe, VMS virus Re: Question about mainframe, VMS virus ------------------------------ Date: Thu, 11 Aug 88 10:53:08 +0100 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Stefan Parmark Subject: Question about virus attacks I have been reading your discussions with great interest. However, I feel that very little has been said about viruses on VAX-11, Sun and other generally-not-owned-by-private-persons computers. I am writing a report on viruses here at Ellemtel in Sweden. I think it should contain something about the viruses having hit a little larger machines. My report will mostly contain a summation of what has been said about viruses on this and other lists. It will not concentrate on PC viruses and specific PC solutions. Instead it will be about viruses and protections for the *general* micro/mini computer. Of special interest here is the Unix environment, which is used in an increasing number of mini computers today. I would like to know about viruses, which have struck company computers. I will respect that you don't want the name of your company to leak out if you have been hit, but I would like to know what happened. Just tell me it was some other company you can't recall the name of. I don't mind. If you still aren't sure if you dare trust me with virus information, I can let my superiors contact you. I would also like to know what software there is to protect against viruses. So far I have only run across TCELL. Has anyone had any experience with this? When finished, I will make my report available to Kenneth R. van Wyk, so you all can download it. Please e-mail all answers. I appreciate all the help I can get. Stefan Parmark tmpspa@eua4.ericsson.se Ellemtel Sweden -------------------- Date: Thu, 11 Aug 88 15:17:45 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Mainframe Viruses Stephan, We've been doing detailed work on mainframe viruses for some time. Most of the original work on viruses done by Fred Cohen, etc was done on a variety of Unix machines and Vax's if I remember correctly. There have been a few virus attacks on mainframes. One in particular, a banking institution in northern New Jersey was hit only 5 or 6 weeks ago. Their name cannot be released however. The problem with most corporate attacks and mainframe attacks is that they are sworen to secrecy. IBM being hit by the Christmas Tree virus was one publicized virus. Most mainframe security systems are worthless against viruses I am VERY sorry to say. Again, not to plug myself, but Lehigh Valley Innovative Technologies' Innoculator package is available for VM/CMS, VMS, Unix boxes (most including Sun's). And I believe there is another such package out there, but I'l have to check on the name again. It is very hard to attempt to stop virus attacks on mainframes, but we're working on various ways of stopping them. Loren Keim LKK0@LEHIGH -------------------- Date: Thu, 11 Aug 88 16:05:32 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David M. Chess" Subject: Mainframe Viruses and whatnot I hate to be such a nitpicker, but CHRISTMA wasn't really a virus in the usual sense, since it didn't insert itself into any executable files, but just sent itself (CHRISTMA EXEC) around the net. I think the distinction is rather important, since it's Real Easy to write a filter that just zaps anything of the right size called CHRISTMA EXEC, whereas it's typically much harder to deal with a real, spreading, arbitrary-program- altering, virusy virus. (A word that seems to fit CHRISTMA well is "bacterium".) (The hacked FLUSHOT wasn't really a virus, either, as far as I know; it was just a Trojan Horse that did bad things to your system when you ran it. It didn't spread itself. I'd hate to see "virus" come to mean "something that does something bad to something". Let's reserve it for, as Fred Cohen said, "a program that can 'infect' other programs by modifying them to include a possibly evolved copy of itself".) Back to the subject: I think it'd be interesting if Loren (or anyone else) could tell us some of the things that make virus-fighting on mainframes harder than on micros (if I'm reading Loren's item aright). Anything you can tell us without exposing anyone's dirty laundry? DC -------------------- Date: Thu, 11 Aug 88 16:59:23 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Mainframe problems Well Dave, The easiest thing for me to say is "The more complex the machine, the harder it is to protect", but its more than that. A micro, all by itself is easier to protect than a network or than a lot of computers in one room used by many people, and so on. One of the problems with mainframes is the number of users, and the possibility of very remote computer sites accessing the system. Let say, for example, that those using our example mainframe M get onto the system by way of microcomputers. Lets say someone "has it in" for this company as well. It is possible for someone to write a program which attacks your companies modem program and gets itself to the mainframe through it. Because there is a large number of users of M, this virus-modem program can spread from user to user and affect each part of the mainframe, not just the parts a particular user has access to. We have demonstrated this possible problem with Unix computers in the past, having the virus "pick-up" privilages until it was able to attack the entire machine. This is a dangerous problem, and one we cannot take lightly. If a virus "blows up" on a mainframe, realize that we have the possibility of losing data from many users, not just a single disk as is the case with a single micro. The problem, also, is that we cannot just CRC the entire machine. People may be developing, someone is always changing around files, and there are many places for viruses to hide on the system. We have to find a way to stop viruses from spreading on these machines without limiting the machine to those programs "okay'd" by the administrator of M. We have looked at DER one-way-encryption protection of libraries of machines, or creating a shell around the mainframe to "write protect" files, or protecting certain programs and not others, or even limited transitivity of the machine... breaking it down into blocks that users can access certain things but not everyone can get things from everyone else. Its a difficult problem. We don't have the ease of making sure DOS checking all writes before they write and watching for direct writing. With each mainframe, we must check carefully what is changing and whether or not the user wants it to change. Loren -------------------- Date: Thu, 11 Aug 88 17:40:43 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Mainframe Woe's continues One other thing that some collegues of mine just mentioned to me: It may be true that it is harder to write a mainframe anti viral package than a micro av package, BUT its also generally harder to write a virus for that system. Our job isn't to create a virus-proof system, I don't believe one exists... but what we can do is make the environment harder and harder to attack, make the virus writer really work to write a good virus, and make the number of people who can write a virus to go oaround our systems so small that no one does it. Loren -------------------- Date: Thu, 11 Aug 88 20:52:25 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski Subject: Mainframe I wouldn't consider mainframes "harder" to protect than PC's just "different". A mainframe gives you a lot of advantages that you don't have on a PC. On the other hand, there is greater sharing of resources on mainframes which makes viral spread more dangerous. First of all, a mainframe (or mini for that matter) has a secure Operating System. You cannot address REAL memory and you cannot access the I/O ports directly like on a PC. Moreover, a virus has no more priveledge over the OS than the invocing user. Granted a virus can climb the ladder, but it must do so through ordinary means; ie it can't immediately write itself to the disk, or to the command processor until it has priveledge to do so. So a mainframe virus must link itself to an ordinary executable to be able to get itself into memory, replicate to other executables, and test to see if it has enough priveledge to accomplish its pre-determined task. Of course, depending on the OS, a mainframe virus might be able to modify a users local command processor so as to stay totally active during the entire session (or even after the user logs out). But the virus only has the priveledge of the user. Let's go over a quick example of how a virus might climb the ladder. Suppose there are several users on a mainframe: Prof Smith, John, Mary, Jim, System, and The_Rest. Let's say that John, Mary and Jim are in the professor's programming class and that Prof Smith has priveledge over their accounts. The user System has priveledge over all accounts. John decides to upload this great game to the system (it happens to contain a virus). He executes it and all his files are subject to infection. Mary executes the program too and all her files become subject to infection. The Professor decides to check on Mary's work, so he executes one of her programming assignments. Well, this assignment was infected so not only does the Prof. files become subject to infection but Jim's files become infected as well. Finally, the professor just finished a software package. He tells System that it's ready to be installed. System puts it in with the other system files and executes it to make sure it was installed properly. Now The_Rest of the system is subject to infection and the virus has system priveledge. It can do anything it wants! There are ways to use mainframes security features to their maximum advantage to try to prevent the above senario. You could isolate the system from the outside world; however, this is inadvisable since an ordinary user could write the virus anyway. You could isolate the users from one another but this probably wouldn't be advisable especially considering users often need to work together to complete a project. The best method is probably to look for footprints that indicate a possible virus about the system. In a program I wrote a short time ago to protect a UNIX OS I did the following: * Set up a CRC table of system programs (ie those owned by root, bin and uucp) The CRC table can only be modified by root and re-asks for his password during any modification. * sh (the command processor) was modifyied to check the CRC table for system files being executed. If it changed it didn't execute. As a matter of fact it was quarentined and mail was automatically sent to root about it. * A daemon was run in backround to periodically check system files for change. If changed they were quarintined ...especially if the "set-uid" bit was on. This method left users with total freedom while it protected system stuff. There were other smaller features as well and various other optional checks. Joes joes@scarecrow.csee.lehigh.edu -------------------- Date: Thu, 11 Aug 88 19:23:00 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: SUE@UWAV1.ACS.WASHINGTON.EDU Subject: Question about mainframe, VMS virus Where can I get details about mainframe (VMS) viruses?? How they work, propagate, etc.? SUE@UWAV1.ACS.WASHINGTON.EDU SUE@TOBY.ACS.WASHINGTON.EDU -------------------- Date: Thu, 11 Aug 88 23:53:00 MDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: LYPOWY@UNCAMULT Subject: Re: Question about mainframe, VMS virus In-Reply-To: Message of 11 Aug 88 20:23 MDT from "SUE at UWAV1.ACS.WASHINGTON.E One of the professors in our faculty here at the U of C wrote a paper oriented more toward mainframes than micros. Here is the biblio for it: Witten, Ian H., Computer (In)security: Infiltrating Open Systems, Abacus (Magazine) Vol. 4, No. 4, (Summer 1987) If you have any questions for Dr. Witten I may be able to pass them on to him, r even give you his E-Mail address. The article covers what a virus cna do, and in fact gives you an idea of how to write one. Greg Lypowy -------------------- *** end of Virus-L issue ***