Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA03541; Tue, 19 Jun 90 07:23:20 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA28688; Tue, 19 Jun 90 07:23:16 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA01818; Tue, 19 Jun 90 07:23:03 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa05318; 19 Jun 90 9:39 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Tue, 19 Jun 90 09:39:28 BST Message-Id: <$TGWFCWKBBCTG at UMPA> Subject: Here is Virus-L vol 0 #0908 Virus-L Digest Thu, 8 Sep 88, Volume 0 : Issue #0908 Today's Topics Virus case goes to trial (reprinted from RISKS forum) request for info on an Atari 8-bit series virus Re: Hypercard as a virus vector Possible nvir Easiest OS to infect Viri in data files Re: Easiest OS to infect Re: Viri in data files Re: 'Good' Viruses good viruses/bad viruses Re: Legality Re: Viruses non-existent Viruses Re: Legality Re: good viruses/bad viruses ------------------------------ Date: Thu, 8 Sep 88 08:53:40 EDT From: "Kenneth R. van Wyk" Subject: Virus case goes to trial (reprinted from RISKS forum) Here's an interesting article that appeared in a recent RISKS forum that I thought some of you may enjoy (except, of course, those who are already on the RISKS forum...): Date: Wed, 07 Sep 88 13:05:09 EDT From: Joe Morris (jcmorris@mitre.arpa) Subject: A Computer Virus Case Goes to Trial >From the _Washington_Post_, 7 September 88, page C-1 (without permission): [JURY SELECTION IN 1ST `VIRUS' TRIAL BEGINS (AP)] Fort Worth, Sept. 6 -- Jury selection began today in the criminal trial of a 40-year-old programmer accused of using a computer "virus" to sabotage thousands of records at his former work place. The trial is expected to last about two weeks. Donald G. Burleson faces up to 10 years in jail and a $5,000 fine if convicted in the trial, a first for the computer industry. Burleson was indicted on charges of burglary and harmful access [sic] to a computer in connection with computer damage at a securities firm, said Nell Garrison, clerk of the state criminal district court in Fort Worth. Through his lawyer, Jack Beech, Burleson denies the charges but has declined further comment. The firm has been awarded $12,000 in a civil lawsuit against Burleson. Pretrial motions were scheduled to be heard today, followed by jury selection, Garrison said. Burleson is accused of planting a piece of computer software known as a virus in the computer system at USPA&IRA Co. two days after he was fired. A virus is a computer program, often hidden in apparently normal computer software, that instructs the computer to change or destroy information at a given time or after a certain sequence of commands. [Trojan horse???] USPA officials claim Burleson went into the comapny's offices one night and planted a virus in its computer records that would wipe out sales commissions records every month. The virus was discovered two days later, after it had eliminated 168,000 records. Kenneth R. van Wyk Calvin: Ever consider the end of the User Services Senior Consultant world as we know it? Lehigh University Computing Center Hobbes: You mean nuclear war? Internet: Calvin: I think Mom was referring to if I BITNET: let the air out of the car tires again. -------------------- Date: Thu, 8 Sep 88 00:30:00 EDT From: "Jim Shaffer, Jr." Subject: request for info on an Atari 8-bit series virus About a month ago I read in Atari Explorer magazine, in an article on viruses in general, that there was a virus for the Atari 8-bit series of computers (i.e., 800, 800XL, 65XE, 130XE). However, the article didn't go into detail. Has anyone heard of this virus and can tell me more? Thanks in advance, Jim Shaffer, Jr. P.S.: The article is a good overview of viruses in general, and I'll post the information on where it appeared as soon as I can find the darn magazine :-) -------------------- Date: Thu, 8 Sep 88 10:37:58 CDT From: "James N. Bradley" Subject: Re: Hypercard as a virus vector In-Reply-To: Your message of Wed, 7 Sep 88 20:22:31 EDT Hypercard is a programming language disguised as a Macintosh application. It uses hypertext and an index card analogy with a graphic interface to allow virtually anyone to program, which has, as a consequence, produced all kinds of cute but useless programs. On the other hand, when people who know what they are doing write "stacks" (Hypercard programs) they can be really spectacular. I don't think you can compare Hypercard to REXX because of the difference in the environments. Hypercard has a strong graphic emphasis, it is designed for anyone to use, and it will (probably) be the front end program of the future for the Macintosh interface. JB -------------------- Date: Thu, 8 Sep 88 11:47:00 MDT From: "David D. Grisham" Subject: Possible nvir A user (Mac) has come to me with a disk with the following symptoms: 1) Would not save/print on MS word 3.01. 2) Used Ferret and code id 02, crashed. 3) Used VirusRx and declared "probably good" 4) Resedit found a non sequential code of 255,256, ... Is this a Virus or a bad MS word? ****************************************************************************** * Dave Grisham * * Senior Staff Consultant Phone (505) 277-8148 * * Information Resource Center * * Computer & Information Resources & Technology * * University of New Mexico USENET DAVE@UNMA.UNM.EDU * * Albuquerque, New Mexico 87131 BITNET DAVE@UNMB * ****************************************************************************** -------------------- Date: Thu, 8 Sep 88 07:01:14 PDT From: Robert Slade Subject: Easiest OS to infect All inter system rivalry aside, the bigger they are, the more places there are to hide. My reading of the collected virus reports indicates that the Mac is winning in the "I got more viri than you" stakes. When OS/2 Extended is released (on 22 1.44 meg disks no less?), oi vey. (Yes, yes, I know. The kernel will be smaller than that.) -------------------- Date: Thu, 8 Sep 88 06:40:22 PDT From: Robert Slade Subject: Viri in data files Carol raised the question about Hypercard, and "abr1" made a statement that data files could *not* carry viri. Let's be careful about what we define as data. (After all, programs really are just data that you execute.) Both Hypercard, in the Mac world, and Lotus 123 files, to give an example in the MS-DOS world, are capable of carrying commands that can do low level work in your system. Hypercard stacks at one point carried the Brandau "Macmag" virus. (I do not know of any incidents with Lotus workspaces ... yet.) Robert Slade -------------------- Date: Thu, 8 Sep 88 15:06:41 EST From: Joe Simpson Subject: Re: Easiest OS to infect In reply to the comment that bigger is easier to infect I beg to differ. Operating systems with layered architectures and rich file support are easier to infect. They may also be easier to defend with. There is an easy to use suite of public domain and sharware tools available. I can only hope th -------------------- Date: Thu, 8 Sep 88 16:19:44 EDT From: Ed Nilges Subject: Re: Viri in data files In-Reply-To: Your message of Thu, 8 Sep 88 06:40:22 PDT Hypercard stacks have two capabilities as virus vectors: 1. Those without XFCN and XCMD coding probably cannot screw up the Mac environment outside of Hypercard, but they can screw up a given instance of Hypercard by setting global properties in a subtle way. 2. Those with XFCN/XCMD can screw up the Mac, in addition to the Hypercard environment. This may indicate an automated test to see which class a given stack falls into. The fact that the first class is relatively benign does not entail that we should never worry about class 1 Hypercard viruses, only that we should focus the bulk of our (always limited) virus-fighting resources on class 2 viruses. Note also that Hypertalk lets you treat stacks as objects...this raises the specter of fearsomely complex, self-altering Hypercard stacks circulating around bulletin boards and such. The fact that Hypercard stacks can be entertaining (music, X-rated cartoons, and so on) will speed viruses along this particular vector. -------------------- Date: Thu, 8 Sep 88 15:07:00 MDT From: Bernie Subject: Re: 'Good' Viruses In-Reply-To: Message of 7 Sep 88 20:05 MDT from "EAE114 at URIMVS" (This is a weak, but so are most args.) Sure, any person who knows about viruses can run an anti-viral program but don't forget MOST computer users are not computer or computing literate. I really doubt that a "good" virus could easily be corrupted. After all, how many people do you know who trace other peoples ml code for fun? The whole purpose of this hypothetical "good" virus would be to remove only identifiable "bad" viruses, and maybe after a certain time remove itself. It would be doing the techno peasant a favour as well as the knowledgable because you'd never know it was there (just like a bad virus) doing the user a service. Next: OJA, hackers are not to blame. I resent that since not all hackers are innately evil, and hacking is a proven learning experience. Greenberg, you forget the Shareware protection (one of many). "Send us your money or else it won't work after a while..." Anyone know how many pieces of Shareware have trojan horses? -------------------- Date: Thu, 8 Sep 88 13:02:23 EDT From: me! Jefferson Ogata Subject: good viruses/bad viruses We had a discussion about the merits of making virus-protection software viral itself some months ago. I'm hearing a lot of the same rebuttal again, and it makes no more sense this time than last. [Correctness]: how do you know your virus will behave the same way in some other environment and not do serious damage? How do you know ANY program will behave as you expect? Why bother writing programs? They might turn into Trojans. Surely this is paranoia. Viruses are programs. You can test them. [Superfluosity]: a virus cannot do anything a regular program can't do. Yes it can. A virus can self-propagate. A virus is immune to virus attacks, unlike most virus-protection software. Even encryption schemes have the glaring flaw that they can be corrupted. [Insecurity]: you must leave holes through which the virus can propagate. Well, if those holes could be closed, there would be no need for the good virus. As long as those holes exist, the virus can do some good. And nothing stops you from plugging all the holes you can; you'll prevent good viruses from propagating, but hopefully you'll prevent the bad ones from propagating as well. [Mutation]: what if the virus gets corrupted and becomes damaging? Programs don't mutate so any corruption would have to be some kind of hardware problem. In that case, the probability is much higher that some particular program will become a Trojan. It is virtually impossible for some random alterations in code to end up functional, let alone damaging. The virus code would be small and therefore less likely to be damaged. [Bad] guys: someone might take the code and alter it to be bad. True. - Jeff Ogata -------------------- Date: Thu, 8 Sep 88 09:32:50 EDT From: Jim Marks Subject: Re: Legality In-Reply-To: Message of Wed, 7 Sep 88 10:55:00 MDT from This is a good question. I'm not a lawyer, so I can't really answer it, but will offer my opinion. You can pretty much sue anyone you want, the question is whether you would (or could) win. Even lawyers often can't answer this; it depends on the state, judge, jury (if any), etc. Most of the software licence agreements have statements which say the vendor is not liable for damages as the result of using the software. Of course, the "agreements" also usually say something to the effect that the vendor doesn't even guarantee that the program will do what you need to do, either. In fact, if you saw disclaimers on cars (or other products) of the sort on software packages, you would never buy them. I question whether such agreements have legal validity, but then I'm not a judge. What would also be an interesting case would be such things as structural design software which was used in the design of a building. If the building design was not adequate (because of a "bug" in the software) and the building collapsed (say with loss of life), could the damaged parties prevail against the software manufacturer (in addition to the structural engineer)? Could the structural engineer prevail against the software manufacturer? I think there will eventually be some interesting cases of this sort (maybe not quite so dramatic) in the future, if not already. Back to the virus... What would be difficult in such a case (even if the license agreement didn't protect the vendor) would be proving that the virus actually came from the vendor's package. These things, by their nature, are pretty elusive. These are strictly my opinions; I don't even pretend to be an authority in this area. Anyone out there who is? Jim Marks -------------------- Date: Thu, 8 Sep 88 18:13:49 EDT From: "David A. Bader" Subject: Re: Viruses >I really doubt that a "good" virus could easily be corrupted. After >all, how many people do you know who trace other peoples ml code for >fun? The whole purpose of this hypothetical "good" virus would be to >remove only identifiable "bad" viruses, and maybe after a certain time >remove itself. It would be doing the techno peasant a favour as well >as the knowledgable because you'd never know it was there (just like a >bad virus) doing the user a service. Look at viruses such as the Brain virus and others that have been modified through time. Random programmers out there are easily able to decompose the ML code and change good to bad, or from bad to worse. Also, All the virus protection out there that watch for file size changes, CRC checksums, etc., will keep telling a user that he has been infected. (He will never know "good" from "bad" if both propogate over the same means.) Also, if the programmer can write a "good" virus to escape the view of common virus detectors, then virus writers also have the same technology. >Greenberg, you forget the Shareware protection (one of many). "Send usyour >money or else it won't work after a while..." Anyone know how many es of >piece Shareware have trojan horses? Some shareware out there has a strange kind of protection on it so that you don't have a trojan horse if you don't pay. I've seen programs that let you install them the first time around; and they monitor the date from installation. After a few months, or a year, they won't run giving you a message that you need to buy the software if you are really interested in it. Now for any computer literate person, it is easy to hack out the date stamp, or anything to those means to bypass this protection. But from the company's side, no "trojan horse" is released, and the average user is rightfully obliged to buy the package since s/he has had a long enough trial period. David Bader, DAB3@LEHIGH -------------------- Date: Thu, 8 Sep 88 17:33:00 CST From: conni annable Subject: non-existent Viruses I've just been looking through a friends catalog from a company that sells disks full of public domain/shareware programs. Page 3 of this catalog is titled "Topic: VIRUSES" in which they claim "a couple of national magazines first thought up the concept of MS-DOS viruses" and hmmm... I'll quote this paragraph entirely: >>> Simply put, there is no such thing as a virus. There never has been. >>> Period. It is a "Modern Urban Legend". The same as the $50 Corvette, >>> alligators in the New York sewers, and all the others. They go on to say that they can only speak for the MS-DOS microcomputer world and that they have tried unsuccessfully to track down some of the rumors they have heard. They point to PC Magazine and PC World as very active in 'spreading these stories' and wonder if they are doing that to sell magazines or software (at "up to $900"). They do admit that Trojans exist but state that they are 'Very Rare'. Obviously, they have a great interest in getting folks to continue to use public domain programs - after all that's their business. Gee folks - think of all the time we've wasted thinking/writing/reading about this non-existent threat! do you think we should dissolve the list? (she said with tongue firmly in cheek...) On another page this catalog refers to a newsletter from the DENVER PC BOARDWATCH as having "an excellent two-page article debunking the virus scare". Have any of you seen this? I can't tell when it was - they say "just last month" but give no indication when this was written other than a 1988 copyright. If someone has seen this article, could you summarize it please? Thoroughly disgusted (having recently been bitten), conni -------------------- Date: Thu, 8 Sep 88 21:54:00 MDT From: KEENAN@UNCAMULT Subject: Re: Legality In-Reply-To: Message of 8 Sep 88 07:32 MDT from "Jim Marks" I'm not a lawyer either, Jim, but a few things that would certainly be relevant: Did the company KNOW about the virus? It is a basic legal principle in most civilized countries that you need to form the *mens rea* (guilty mind) to be guilty of a criminal offence. In civil actions for negligence, again the company must be shown to have some reasonable grounds to suspect the existence of a virus. closest analogy i can think of is Johnson and Johnson might have been sued successfully for continuing to sell Tylenol in the face of a clear and well known danger. (They took it off the market for a while, of course.) As for the structural engineering question, we just had such a case in Vancouver, a brand new parking structure collapsed injuring dozens of people. The association of professional engineers temporarily lifted the licenses of those responsible pending investigation. IF they were using computers AND KNEW OF SOME FLAWS they would be clearly derelict in their duties. (I worked for the company that designed a rather famous 110 story building in New York City and we did indeed find some design mistakes that needed correcting before construction.) IF the engineers had every reason to trust the programs (they relied of them for a long time in the course of business) then it might indeed bounce back to the software company's lap, and it would depend how knowledgeable they were about potential flaws/shortcomings etc. I agree that the shrink wrap disclaimers are worth the cardboard they're printed on (if that...) -------------------- Date: Thu, 8 Sep 88 22:20:00 MDT From: Bernie Subject: Re: good viruses/bad viruses In-Reply-To: Message of 8 Sep 88 11:02 MDT from "me! Jefferson Ogata" Sorry if its all been said before. I just think it is too much work to install a vaccine program and have it execute every boot or to have to do spot checks on all my disks for something which has only hit me once (and on the City's machines, not my own). Vague as always. Me. -------------------- *** end of Virus-L issue ***