Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25970; Tue, 12 Jun 90 07:01:54 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13066; Tue, 12 Jun 90 07:01:50 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04416; Tue, 12 Jun 90 07:01:40 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa10237; 12 Jun 90 11:24 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:08:32 BST Message-Id: <$TGVTCZHTCBVW at UMPA> Subject: Virus-L vol 0 issue #0815 Virus-L Digest Mon, 15 Aug 88, Volume 0 : Issue #0815 Today's Topics re: MAINFRAME WOE'S CONTINUES Re: VM Mainframe Infiltration VM Modem Protocal The Conference... conference Encryption Re: Encryption Re: VM Mainframe Problems AT configuration Re: AT configuration RE: AT CONFIGURATION Conference Conference AGAIN virus conference - air ------------------------------ Date: Mon, 15 Aug 88 11:07:32 SST Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: Date: 8-15-88 11:06am Comments: From: anyone:Staff:ISS Comments: To: {virus-l@lehiibm1}:bitnet, Comments: {LKK0@lehigh}:bitnet Comments: cc: Jim Comments: Subj: re: MAINFRAME WOE'S CONTINUES From: Jim Crooks Subject: re: MAINFRAME WOE'S CONTINUES >It may be true that it is harder to write a mainframe anti >viral package than a micro av package, BUT its also generally >harder to write a virus for that system. don't agree see comments below >Our job isn't to create a virus-proof system, I don't believe >one exists... but what we can do is make the environment >harder and harder to attack, make the virus writer really >work to write a good virus, and make the number of people >who can write a virus to go oaround our systems so small >that no one does it. agree >Loren I think that one has to keep in mind the *KEY* difference between a micro environment (DOS, OS/2, etc.) and a mainframe (MVS, CMS, VMS, UNIX, etc.) is that the mainframe OS is immune to direct attack (OS kernel is protected, OS files are protected, user files are not). Viral attack requires modification of executables (per the definition of a virus). If *ONLY* authorized programs (linkers) running from protected (read-only) filespace can write or modify an executable, then the low-grade user vector for the virus is stopped cold. The only path to infection is a super-user running an infected program; an authorized virus can nullify protection of executable files... A much smaller and harder window for a virus to get through. The only other loop-holes to plug would be file rename (to executable name), file copy/restore - the same protection criteria could be applied to file system utilities as you require of Linkers (authorized, protected filespace). It would only take small mods to existing mainframe security systems implement the above protection systems. The same hooks and exits used by the security systems can be used by a anti- virus developer to protect just executables if a site doesn't want to pay for a complete security system (cost in $$$ and overheads). Since the mainframe OS is better protected, other loop-holes are harder to find for the virus-writer. And once protected, the mainframe will tend to stay safe. I *REALLY* think that mainframe protection development is trivial compared to trying to protect a micro; when you stopper up the many guage 0 holes, there are thousands of size 00, millions of 000... For the PC just a couple of non-trivial changes could make the environment much easier to protect: - external switch to protect boot partition on HD (IBM, clone-makers, disk sub-system people are you listening?) - all executable files encrypted on disk (with DES or even a simpler algorithm), file decrypted by loader, key specified by user at boot through keyboard or ???. Encrypt by linker or conversion utility (after power off restart!) James W. Crooks Member, Advanced Technology Application Staff Telephone: (65) 772-2009 FAX: (65) 778-2571 BITNET: JIM@ISS.NUS.AC.SG BIX: jw.crooks Envoy(Telemail): jw.crooks Institute of Systems Science, National University of Singapore Heng Mui Keng Terrace, Kent Ridge, Singapore 0511 -------------------- Date: Mon, 15 Aug 88 08:03:33 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: VM Mainframe Infiltration In-Reply-To: Message of Sun, 14 Aug 88 14:51:21 EDT from >It depends on the program. Clarkson University makes a program >which I'm using right now on a VM system to answer your >mail. It allows easy access to VM systems from microcomputer >networks. It redefines all sorts of key configurations and >allows some interaction with VM files and programs. Excuse me Loren, but you're on a MUSIC/SP system, not a VM system. MUSIC/SP runs as a disconnected virtual machine under VM/CMS, and its disk structure bears very little resemblence (sp?) to VM/CMS. Also, the terminal program, PCWS, was written by McGill University, not Clarkson. Ken Kenneth R. van Wyk User Services Senior Consultant Hobbes: What fun is being "cool" Lehigh University Computing Center if you can't wear a Internet: sombrero?! BITNET: -------------------- Date: Mon, 15 Aug 88 10:09:05 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: VM Modem Protocal Ken, I really wish you wouldn't make statements like "You are not using this or that program" unless you really know what I'm using. I am not discussing PCWS from McGill. I was playing with another program to emulate 3270's terminals on another machine. Actually though, I do want to correct one thing. I don't believe the program I'm using is sanctioned by Clarkson, looking at it, it may just be written by someone there. Loren -------------------- Date: Mon, 15 Aug 88 12:11:37 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: The Conference... Okay, We're ready to tell you about the computer virus conference coming up! THE COMPUTER VIRUS AND SYSTEM SECURITY CONFERENCE We will be holding the first Computer Virus and System Security Conference at Lehigh University in the Lehigh Valley, Pa. (Bethlehem, Allentown area) on October 21, 22 and 23 (a Friday, Saturday, and Sunday). Because specific rooms are still under discussion, we cannot give you a precise schedule of events. The cost will be $50.00. This includes entrance to the conference and all discussions. Preliminary Schedule: - ------------------ The following is a VERY tentative schedule. It will be altered as we get nearer to the conference date. We are juggling large rooms, including a very large hall for round table discussions and several large auditoriums. We'll have a better idea of exactly how the conference will be set up within two weeks. We'll need more information on exactly how many people will be attending the conferences and an exact list of speakers. We have several people who have tentatively said yes to speaking at the conference and we'll be contacting others over the next week. We expect additions to this schedule, and will post them as we get them. We already have a good group of people working on the conference, so it should go over quite well. I'd also like to thank Craig Pepmiller for his suggestions. Fri, Oct. 21: 1:00 PM - 2:30 PM What is a Virus? A seminar, including demos of several viruses on various systems. These will be WELL contained. 2:45 PM - 3:15 PM Introductions (Guests can introduce themselves to each other in a lounge area). Coffee, Donuts and Coke will be served. 3:30 PM - 4:45 PM Viral Detection Methods (Seminar) 5:30 PM - 6:30 PM Dinner (Restraunt locations will be provided and groups can break up to discuss topics). Sat, Oct. 22: 10:00 AM - 11:00 AM Computer Security Concerns I (We will go over protection schemes for schools and businesses and review simple, inexpensive ways of keeping your LAN's clean.) 11:00 AM - 12:00 PM Computer Security Concerns II System Integrity, Limited Transitivity will be main emphasis at this time. (Government security systems, banking systems, and early and future forms of virus stopping designs). 12:00 PM - 1:00 PM Lunch 1:15 PM - 1:45 PM Worm Demonstration 2:00 PM - 4:30 PM Discussions. We will hopefully be set up in a large area. We will have electricity to do demonstrations and people can show each other virus and anti- virus programs. Hands-On. 2:00 PM - 4:30 PM While the discussions are going on and people are trading software, we will have speakers discussing their own experiences with viruses. One seminar will teach the game, Corewars on the MacIntosh. 5:30 PM - 6:30 PM Dinner break 7:00 PM - 9:00 PM Another Seminar, we haven't decided on the topic. Sun, Oct. 23: 10:00 AM - 2:00 PM Round table discussions in a large hall. People can come and go as they like. Coffee, Cookies and Coke will be served. At several conferences and at the round table discussions, we will make various articles on viruses and security concerns available. We are expecting to add seminars. If you have any suggestions on exactly what you'd like to hear about, please let me know by writing to LKK0 at LEHIGH.Bitnet. Price Tag: - ------- This is a non-profit conference. The $50.00 will be used to rent conference rooms, to print a magazine for the conference, for coffee, donuts and snacks at the conference, and to pay for speakers to fly in. I still feel we may come up short, so we are allowing on Saturday, vendors to set up their equipment or anti-viral packages. This is not a show to sell products, but vendors may demonstrate their products. For a table at the show, we are asking for $400.00 from each vendor. For a full page ad in the magazine we will be printing, we will be asking for $400.00. For a half page ad, $250.00, and for a quarter page ad, $145.00. Color ads will cost more, please call me at (215) 865-4253 for color ads. Please send a check for the conference to: Computer Virus Conference c/o Loren K Keim P.O. Box 2423 Lehigh Valley, Pa. 18001 I will send back to you brochures on some local hotels, including The Allentown Hilton, Hotel Bethlehem, the Sheridan Jetport, the Econo Lodge, the Holiday Inn's and the Red Roof Inn. We will also be sending more specific information about the conference and where rooms are closer to the conference date. How Do I Get There? - ---------------- The Lehigh Valley (Allentown) is an hour from Philadelphia. We will be sending maps of the Lehigh Valley and of Pennsylvania to those who ask. >From Philadelphia: The Pennsylvania Turnpike, Route 9 passes through West Allentown, take the 22/78 exit East to Bethlehem, Rt 378 South to South Bethlehem. Lehigh University owns the mountain. OR take Rt 309 North to Rt 378 North to Lehigh. >From New York: Take I78 West to 22 West to Bethlehem. 378 South to Lehigh. Others traveling by plane: the ABE international airport (the largest of our airports) is serviced by several major airlines including United, Eastern, Continental, among others. Connections to ABE are made out of Chicago, Atlanta, and many others. WARNING: - ----- IF WE FIND ANYONE WHO HAS PURPOSELY OR ACCIDENTLY RELEASED A VIRUS ON ANY OF OUR SYSTEMS, ACTION WILL BE TAKEN AGAINST THAT GROUP OR INDIVIDUAL. Any questions, please send them to LKK0@LEHIGH. -------------------- Date: Mon, 15 Aug 88 14:43:03 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: conference One question, Loren, about the conference: Is the $50 going to be worth the price for the people who get the Virus List (and don't want to hear a re-hash of everything said here a thousand times over) or is it going to have fresh, new input and ideas? Also, Who are the speakers going to be??? It seems that reading through old virus lists might contain more information than having ANYONE talk about the subjects... Here's an idea: Have bound copies of the old virus list logs available (to buy?!?) so that people can gain some more knowledge through them.. Once again, these are my ideas and are not usually accepted by others.. If you wish to complain, fine; everyone else does. -David DAB3@LEHIGH -------------------- Date: Mon, 15 Aug 88 14:49:45 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Encryption I think J. W. Crooks idea of executable file encryption is a nice idea if the encryption/de-encryption process could be protected. I was thinking along the same lines myself but I didn't bring it up (and I may be wrong!) because I didn't think it was a practical or defensible scheme. If you use the same encryption algorithm with a built-in key for every encryption/de-encryption, then a virus has only to locate that segment of the program which does that and use it. If you use the same algorithm everytime, but always query the user for the key, then even if the virus knows the algorithm, it can't make use of it because it lacks the key. However, just because you don't store the key on disk somewhere doesn't make it safe, even if the algorithm is a good one. The de-encryption program file must be vulnerable because it must be available at startup (or you can't run any programs at all!) and therefore must be sitting there unencrypted on your disk. A virus could infect the de-encryption program (e.g. the loader program) (say when you run some trojan horse program) and then just wait until you run your next program which will require the loader to query for the key (unless the loader only queries for the key once (at boot), and then the key is just sitting there in memory, waiting to be snatched). Whatever the senario, whether the virus steals the key from the deencryption program as it runs or directly from the user or from memory or whatever, the key clearly has to be around to be stolen whenever you run a program. With the key in its possession, the virus knows how to read any of your other programs, including the encryption program (if it isn't already sitting there unencrypted on your disk). Now all it has to do to infect your programs is to de-encrypt them, alter their code and then re-encrypt. It certainly makes life harder for the virus, but I'm not sure if it offers a significantly increased level of security compared to the price you have to pay (the complication of encryption, and then there's the added hazard of what to do if you forget the key...), unless you can make it harder for the virus to get at the encryption/de-encryption process. On the other hand, just because a scheme can be foiled doesn't mean that it is of no value. I think an invincible protection scheme will never exist, but we may find a scheme which will never let any viruses through. Steven C. Woronick -------------------- Date: Mon, 15 Aug 88 15:24:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: Encryption In-Reply-To: Message of Mon, 15 Aug 88 14:49:45 EDT from > I think J. W. Crooks idea of executable file encryption is a nice >idea if the encryption/de-encryption process could be protected. >Steven C. Woronick In Fred Cohen's dissertation, he talks about using RSA public key encryption combined with checksum (or CRC) signatures to protect files from alteration. Specifically, use the RSA encryption to encrypt a file, then discard the private key thereby making the encryption process one way, perform a checksum of the resulting encrypted file, and store that checksum on disk. It is then easy to validate the signature, but next to impossible to reverse engineer the checksum, particularly if you use long encryption keys. The problem with this method is that there is relatively considerable overhead involved in the authentication process. If, however, you only perform the authentication process periodically, it could be a viable file protection scheme; at least it should be able to detect unauthorized file modifications with a high degree of certainty. The RSA public key encryption, by the way, uses two encryption keys - one for encryption and one for decryption. Figuring out one from the other would be extremely difficult. Regards, Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant By the time we got to Woodstock, Lehigh University Computing Center We were half a million strong, Internet: And everywhere was a song, BITNET: And a celebration. - Joni M. -------------------- Date: Mon, 15 Aug 88 12:42:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Gerald L. Schmalzried" Subject: Re: VM Mainframe Problems Loren K Keim states: > I think you missed the point. You are under the assumption > that someone has to execute a bacterium for it to propogate. > In VM systems, at least in Rexx programs, a virus can be > hidden. This could be one of your own programs, and I've > written several Rexx programs, with a hidden line somewhere, > or even an appended line that when you run it, it will > propogate. Right. Which means that someone has to execute the bacterium for it to propogate. Even REXX programs don't jump up and start executing all by themselves. PROFILEs (similar to PCs' AUTOEXEC.BATs) could be thought of that way, but those are actually called by someone (CMS or XEDIT) and can be overridden. The CHRISTMA EXEC would never have gotten out of node 1 without someone executing it. Just having it won't spread it. Perhaps you could restate your point in case I missed it... --Gerald -------------------- Date: Mon, 15 Aug 88 13:37:42 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: AT configuration I wonder what would be the effect of telling my AT, through some configuration changes that I have no hard disk. I can run a program that permits me to tell the battery operated RAM package that I have one of 45 or so different hard disks, or by putting a zero in some location tell it that I have no hard disk. Can a virus guess what sort of disk I have? What would happen if the virus guesses wrong? Interested in some feedback here. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Mon, 15 Aug 88 16:03:06 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Kenneth R. van Wyk" Subject: Re: AT configuration In-Reply-To: Message of Mon, 15 Aug 88 13:37:42 CDT from >I can run a program that permits me to tell the battery operated RAM >package that I have one of 45 or so different hard disks, or by >putting a zero in some location tell it that I have no hard disk. Can >a virus guess what sort of disk I have? Certainly within one of 45 or so tries... :-) >What would happen if the >virus guesses wrong? If the virus (or any program) only tries to read the disk while it's set to be the wrong type, no harm should happen (well, the seek motor might not like life too much if you try to go to, for example, cylinder 800 when you only have 619). If the virus writes while set up wrong, it's highly likely that you'd be spending some time in the not too distant future reloading your hard drive. What would be the advantage(s) of doing that, though? To test to see if a program contains a virus before trusting it on your hard drive? Ok, that could be of limited utility. Bear in mind, however, that it would be painless for a virus to (purposely) not do any damage, or even try to propogate, if there is no hard drive present. Also, chances are pretty good that a virus wouldn't try to assume that you have a hard disk if DOS says that there is none present - it would be shooting into the dark so to speak. Ken Kenneth R. van Wyk Today - 19th anniversary of Woodstock. User Services Senior Consultant By the time we got to Woodstock, Lehigh University Computing Center We were half a million strong, Internet: And everywhere was a song, BITNET: And a celebration. - Joni M. -------------------- Date: Mon, 15 Aug 88 18:45:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: AT CONFIGURATION Try running FluShot+ 1.2 on your AT computer and then you will know what it is like to have your CMOS setup corrupted so that DOS (or a virus) can't find any fixed drive! I think it would be difficult for a virus writer to experiment setting different fixed drive types in your CMOS hoping to get some fixed drive available. Would the virus writer not be safer by checking for the fixed drive first? (on an AT: in the CMOS); then if one exists, attack it. Otherwise, his/her virus might end of with "drive not found" type errors. /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ -------------------- Date: Mon, 15 Aug 88 22:04:07 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Amanda, the letter you sent to Virus-L did not get to me, I just got the header. If it was important, could you resend it? David Bader: We have discussed (dare I say it?) very little on this list. The basic purpose of the conference is for people to get together and discuss viruses among themselves, show each other what they've come up with in terms of viral protection and what problems they've had. These sorts of conferences are generally very successful in that they produce some very useful ideas. David, we have touched very little on Worm Process propogation, or limited functionality (Fred Cohen's idea), limited transitivity (which has been around for a while), bottom-up system usage, and various theories of security or anti-viral protection. We have simply discussed CRC systems, DER encryption schemes, and various viruses. I believe a conference can produce a lot more than short letters back and forth. I got quite a few replies to my VM system comments. Again, I am sorry, but I am not quite used to VM yet and am not that good with it. I also do not have a system account and have very limited access, so its hard for me to proceed, unlike other machines I've worked on. Over the next few weeks, hopefully, I will have something more substantial worked out and will describe possible infiltration methods. One of the comments I received was something like: "If you have to execute the Rexx program to propogate the virus, it is a bacterium." No, I was not talking about a program which is a virus, I am talking about inserting a few lines of viral code into someone else's Rexx program. Sure ALL viruses have to be run to propogate, the difference between a bacterium and a virus (as it was explained to me recently) is that a bacterium IS a program and a virus places itself into a REAL program of the users. Thank you for all your VM suggestions by the way, and incidently, if, for some reason, I sounded like I disliked DER encryption, that is certainly not true, it is very good. I also am a big fan of forcing the user to put in a key. Loren Keim -------------------- Date: Mon, 15 Aug 88 22:08:39 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference AGAIN Alright David, Since you have asked, I may as well reply here. He wanted to know what the 50 bucks was for. Because we will (as it looks now) have a large group of experts and amateurs showing up, we will need to rent room space. This costs money. Several people have also suggested coffee and donuts or cookies at the conference and its a good idea. About half the people who wrote in wanted some sort of magazine/book written for the occation to include some speaches and some papers. We'd also like to make certain papers available to the people. One of the bigger expenses is flying in good speakers, people who have dealt with viruses and security problems for some time. Rather than have just anyone talk about subjects (which I'm sure everyone can read books and tell us what they read), we'd really like to have the people who've worked on viruses and propogation theories. However, I am still in the process of trying to contact people from "Computers and Security" magazine and others. I hope people are interested in this conference, we've gotten a ton of mail on it. I believe it will be fun, educational, and hopefully will bring something out of it. Thank you, Loren Keim -------------------- Date: Mon, 15 Aug 88 21:52:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: KAPLANB@IUBACS Subject: virus conference - air Conference Attendees - I've gotten airline fares for major cities to Allentown, PA. Cities: Chicago (O'Hare), San Francisco, Los Angles (LAX), New York City (JFK), Miami, Minneapolis. Please send me a e-mail note if you would like a copy. I will not put it on the Virus-List - waste of space/time for those who have no intention of going to the conference. I made the departure date Friday, October 21 and return date Sunday, October 23. If you are not on Bitnet - please! make the return address easy for me to answer you back! -------------------- *** end of Virus-L issue ***