From: Anthony Appleyard <XPUM04@prime-a.central-services.umist.ac.uk>
To: DAVIDF@cs.heriot-watt.ac.uk
Date:         Tue, 19 Jun 90 09:39:40 BST 
Message-Id:   <$TGWFCWKBBCTH at UMPA>
Subject:      Here is Virus-L vol 0 #0909


Virus-L Digest Fri, 9 Sep 88, Volume 0 : Issue #0909

Today's Topics

good viruses/bad viruses
Re: Virus Legislation
The Burleson Case in Texas
Re: CRC vs. encryption schemes
Good vs. Bad Virus: "Mutations"

------------------------------

Date:         Fri, 9 Sep 88 08:35:54 EDT
From:         "David M. Chess" <CHESS@YKTVMV>
Subject:      good viruses/bad viruses

I take it that these "good viruses" would at least tell the user that  they
were  there,  and  preferably  ask  his  permission  to proceed? Otherwise,
*whatever* it's doing, I'd consider it Very Antisocial  for  a  program  of
whatever  ilk  to take it upon itself to do something that I never asked it
to do, because someone somewhere once decided that  it'd  be  "for  my  own
good". Rank paternalism!

Viruses are immune from infection? In what sense? If "good" viruses  became
common,  I'm  sure  someone  would  write  a "bad" virus to infect them. It
should be no more technically challenging than writing a  virus  to  infect
PC-DOS EXE files. Pardon the belligerence! DC

(Affiliation given for identification purposes only)

--------------------

Date:         Fri, 9 Sep 88 08:55:42 EDT
From:         portal!cup.portal.com!Dan-Hankins@SUN.COM
Subject:      Re: Virus Legislation

     Daniel M. Greenberg writes:

>Many viruses are contracted by people that download unknown software
>from bulletin boards.  If they didn't down-load it, it wouldn't have
>propagated in their system.  Every time you download something- you
>take a risk that it has a nasty virus.  If you go to a store nd buy
>a program, you can expect it to be "clean".

Not so. The MacMag virus was (accidentally) distributed with  Freehand,  an
Aldus product.

Also, what about mail-order? what about those little packages that you  see
advertised  in  computer  magazines that were probably put together by some
freelancer in his home office? Who's to say he hasn't been infected and  is
distributing infected copies of his software?

If one takes this 'trusted sources' argument  to  its  logical  conclusion,
we're  all  going to have to go back to programming by front panel switches
and programming our own code and no one elses.

Even a reasonably large company such as Aldus can get burned.

Dan Hankins

     These opinions are my own and are not for sale.  However, they
     may be rented or leased at reasonable rates.

--------------------

Date:         Fri, 9 Sep 88 11:21:04 EDT
From:         OJA@NCCIBM1
Subject:      The Burleson Case in Texas

1. The computer sabotage, to the best of my knowledge, was not a virus, but
a Trojan that would monthly wipe out commissions records from the  computer
accounting  database.  (It  seems  that  various  newspaper  reporters have
trouble discerning between  the  varieties  of  malicious  programs.  This,
unfortunately, includes writers for computer user group newsletters in many
cases.)

2. Since I  am  preparing  a  future  article  on  this  case  (mainly  for
non-profit  computer  user  groups  newsletters),  are  there  any  VIRUS-L
participants in the Texas area who can help me by sending news  clipps  and
other  info about the case? (I am also working on getting a FOIA request in
to the Dallas office of the FBI. But  that's  going  to  take  some  time.)

Re: My comment about computer newsletter writers above....

I am also a writer for computer user group newsletters. It is in writing on
a more serious level about viruses that I have learned many of the pitfalls
about journalism  and  research.  Some  of  my  collegues,  who  are  quite
competant in writing about software and hardware, stummble when it comes to
dealing  with events in the news. Unlike having software or hardware before
you to examine, news is lot trickier. First, the source has to be examined.
Second, confirmation has to be sought. Third, discretion is  need  to  know
whether  everything that passes one's eyes is to be published. Fourth, such
information gathering has a relational aspect, one has to deal with  people
not disks or hawrdware. Discernment is crucial.

Some of the newsletter misinformation that I have run into  over  the  past
year include...

* The claim that Donald Burleson was the writer of  the  SCORES  virus.  In
talking  with  the  author of the article, I found that he used a newspaper
report and jumped to conclusions based upon the Texas location and  Federal
involment in the case.

* A  Texas  users  group  newsletter  article  about  "viruses"  having  an
interesting  classification  of  "benign",  "malignant",  and  "contagious"
(!!!!) Examination of the  article  showed  that  the  author  was  lumping
together  Trojans  and  viruses, so the "contagious viruses were really the
viruses and the other categories were forms of Trojans.

* Many articles claiming that viruses don't  exist  except  as  a  ploy  by
"anti-virus" software distributors to sell their wares.

The way these claims themselves get replicated can be considered  a  "viral
mode" - "information viruses" <GRIN, IS JOKE.> Actually, it the old case of
misinformation at work.

Re: If one get an infected commercial software package, can the person  sue
the company?

In the USA and many other countries - yes. As a civil tort case or possibly
a class action suit, it is possible. So far, I know of no  virus  liability
case  that  has  gone  to court. There has been much talk of virus lawsuits
after the ALDUS FREEHAND incident, but no further news.

Re: VIRUS-L Subscription and messages to me....

I have noticed a problem with the storage of  BITNET  transmissions  at  my
installation. Using the spool display facilty on the TSO MVS system here, I
noticed that the files often get purged with no apparant pattern. With that
and  time  constrictions, a method of coping will be to unsubscribe to this
list and to weekly get the logs from LISTSERV. I can still receive promptly
any messages sent to me. Also if anybody has sent messages directly  to  me
and  has not gotten a response, please resend, the message(s) may have been
wiped out. Thank you.

--------------------

Date:         Fri, 9 Sep 88 17:41:05 +0200
From:         "Y. Radai" <RADAI1@HBUNOS>
Subject:      Re: CRC vs. encryption schemes

I haven't noticed any reply from Jerry Leichter to my posting of  Sept.  2.
Anyway,  a  number  of  people have sent me personal messages asking almost
identical questions, so I thought I might as well make my answers public in
case any others on the list have similar questions but didn't dare to  ask.
(Btw,  Joseph,  my reply to you came back with the message "CUNYVM.CUNY.EDU
unable to connect for 3 days to host", so please accept this as if it  were
a personal reply to you.)

The questions were: (1) What are the three "loopholes" in checksum programs
which I mentioned in my postings of Aug. 29 and Sept. 2? (2)  What  is  the
program  I  have  been  referring  to  which  blocks  all  three loopholes?

First of all, despite what I wrote, it's not so clear that  the  number  of
LHs  (loopholes) is 3; it all depends on how you count them. In two cases I
was counting two similar LHs as one; maybe it would be more  reasonable  to
separate  them  and  then  there'd  be  5.  Anyway,  I'm  in the process of
preparing a rather long document on the use of CPs (checksum programs)  for
detecting  viral  infection, and I explain all but one of the LHs there. It
should be finished in a few weeks. Roughly, it  can  be  divided  into  the
following sections:

  1. An introduction to CPs.
  2. LHs in CPs.
  3. Limitations of (all) CPs
  4. Criteria for comparison of CPs.
  5. A partial comparison of 16 CPs with respect to almost 30 criteria
     ("partial" in that I have very little information at present on most
     of the CPs).

I'm not sure what the best way of presenting this information is when  it's
finished.  (About  a month ago I sent out a draft version of my document to
three people for constructive criticism, and one of them suggested that  it
would  be  an  appropriate subject for a lecture at the October conference.
But that sort of thing is obviously not in my hands.)

The program I was referring to is an Israeli product called  VirAlarm  (not
to  be  confused with Lasertrieve's product of the same name). It sells for
$50, and you can get a good idea of  its  relative  merits  from  the  last
section  of  my document. My conclusion is that it's far better than any of
the other programs in my possession. Obviously there may be products  which
I have not seen which are as good or better than VirAlarm in some respects,
although  I  doubt  this as far as LHs are concerned. I understand from the
authors that VirAlarm is to be marketed in the U.S.  in  the  near  future.

In any case, I have absolutely  no  commercial  interest  in  the  product.
(Actually, this "disclaimer" isn't enough in my case, since I'm in frequent
contact  with one of the authors, and someone might suspect that I'm trying
to get in a plug for him. So let me emphasize that I'm being  as  objective
as  I  can  when  I  say  that  I  genuinely  believe it to be an excellent
product.)

By the way, VirAlarm was the subject of a bet on Israeli television  a  few
months  ago.  The  authors  claimed  it could detect *any* virus infection,
while  a  Tel  Aviv  software  house  claimed  it  couldn't.  Anyone  who's
interested in a report on the outcome and details can get it from the Risks
Digest, Vol. 6, No. 93, or by writing to me.

Y. Radai, Hebrew Univ. of Jersualem

--------------------

Date:         Fri, 9 Sep 88 15:10:00 EDT
From:         Glen Matthews <CCGM@MCGILLM>
Subject:      Good vs. Bad Virus: "Mutations"

With respect to "mutation" of a virus, I would  suggest  that  a  correctly
functioning  virus  would  not do that. Certainly, testing should result in
any such undesirable behaviour being corrected.

However, remember the environments that this "good" virus might be injected
into. My programs, for example, are not guaranteed to be free of bugs every
time I run them, especially the first  time.  If  a  correctly  functioning
"good"  virus  infects  one  of these programs, it is just conceivable that
*my* program accidentally modifies the virus prior to propagation: thus,  a
"mutation".

Lest this sound terribly unlikely, recollect the WORM article in CACM.  The
authors  describe  one  of  their  experiences with a worm which apparently
became altered in execution. My memory  may  fail  me  here,  but  I  don't
believe  that  hardware  error was advanced as the cause (the authors could
not have known exactly, anyway).

Basically, when the issue of so-called "good" viri comes up, it behooves us
to remember which road is paved with good intentions. Precisely because  we
cannot  predict  the eventual environment that a virus might be found in, I
think that we should be cautious about releasing a virus even  though  that
virus  will  solve  all of our thorny problems for us. And by "cautious", I
don't mean TESTING the virus; I mean having a  *VERY*  clear  idea  of  the
target population, as well as having escape hatches within to shut down the
virus  if  required.  And  even  these  measures might not be sufficient to
justify the release of a so-called "good" virus.

Glen Matthews, McGill University

--------------------

*** end of Virus-L issue ***