Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA25911; Tue, 12 Jun 90 06:50:46 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA13006; Tue, 12 Jun 90 06:50:44 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA04317; Tue, 12 Jun 90 06:50:35 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa09817; 12 Jun 90 11:16 BST From: Anthony Appleyard To: KRVW <@NSFnet-Relay.AC.UK:KRVW@sei.cmu.edu> Date: Tue, 12 Jun 90 11:09:44 BST Message-Id: <$TGVTCZHTCBWD at UMPA> Subject: Virus-L vol 0 issue #0820 Virus-L Digest Sat, 20 Aug 88, Volume 0 : Issue #0820 Today's Topics Re: Mainframe viruses Nomenclature needed RE: Hiding a virus between disk sectors ** no subject, date = Sat, 20 Aug 88 09:20:16 EDT ------------------------------ Date: Sat, 20 Aug 88 14:12:24 +0100 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Stefan Parmark Subject: Re: Mainframe viruses Joe and Loren! My mail to you doesn't seem to get through, so I will put this on Virus-l instead, which I know both of you read. Joe, you say that you have tracked down several viruses. As I say in my inquiry, I am not interested in *where* it happened, but *what* happened, what it did, how you found it and restored the machine, etc. I will be quite satisfied with a couple of lines describing the major events. Details are interesting, but not really necessary, if you aren't in your best writing mood. If you don't think this means leaking too much information, then please tell me! Refer to the different companies/universities as company A, university B, and so on, if you don't want their names to be known. I am interested in information about the Innoculator. If you have a brochure describing it, please send me one. If you can't e-mail it, please telefax it to +46 8 7490594. The reason is that the surface mail takes a little while, and I don't have more than one week until my report must be finished. If the Innoculator seems safe, we will consider buying it. If you have references from satisfied customers, please include them too. The department of Ellemtel at which I am working has a high security classification, class 2 I think. Therefore a virus protection is highly desirable. Their VAX was earlier connected to UseNet, but the risk for infections made them "cut" the wire. They will restore the connection whenever they feel safe, which I am supposed to make them. In case you wonder, I am using another department's computer to mail you. Loren, I have mentioned your idea about a conference to some people working with me. They, and I too, are interested in such a conference. I will inquire how interested they are. When I know, I or they will get back to you. /Stefan Parmark P.S. You know about the pubkey mailing list, don't you? They're discussing Lee Kemp's public key encryption to protect from viruses. If you are interested, send a mail to Doug Thompson at doug@isishq.math.waterloo.edu. -------------------- Date: Sat, 20 Aug 88 14:16:15 +0100 Reply-To: Virus Discussion List Sender: Virus Discussion List From: Stefan Parmark Subject: Nomenclature needed I feel that the term 'virus' is being used too often when one really means something else. I think it is important that there is a term which will cover worms, viruses, Trojan horses and bacteria. As a general term I would like to propose 'infection'. I am not a biological expert, so perhaps some other word would be better. The important thing is that when anyone says 'virus' we know what he means. /Stefan Parmark -------------------- Date: Sat, 20 Aug 88 09:03:14 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski Subject: RE: Hiding a virus between disk sectors In-Reply-To: ZDABADE@VAX1.CC.LEHIGH.EDU's message of Fri, 19 Aug 88 19:38:00 EST <8808192346.AA26896@scarecrow.csee.lehigh.edu> I really can't see the practicality of viruses hiding in between sectors. For one there isn't much room, maybe space for several bytes, no more. The virus would have to be careful not to overwrite the following sync mark or make the next sector unreadable by DOS. Finally, there would have to be a sophisticated program to read the data between sectors, concatenate the information (ie the virus), and then execute it in memory. Since this sopisticated program is not a part of DOS, and since it itself could not be hidden between sectors, the point of putting a virus in between sectors is moot. Joes -------------------- Date: Sat, 20 Aug 88 09:20:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe Sieczkowski In-Reply-To: Kent Cearley - UMS - 492-5262 's message of Thu, 18 Aug 88 14:47:00 MDT <8808182056.AA24237@scarecrow.csee.lehigh.edu> Subject: Debate >Has anyone explored the concept of expert systems regulating security? >Perhaps implemented like regression testing in software engineering, >i.e. it familiarizes itself with the 'typical' activity of a system... >quantitatively e.g. avg disk writes for program 'x', free memory, >non-data sector reads/writes, maybe feature analysis techniques, >suspending activity in anomalous situations I beleive AT&T's new version of secure Unix will do somthing like this. Although I am not affiliated with the company perhaps someone reading this is and can confirm and expand on this. Joes -------------------- *** end of Virus-L issue ***