Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA03588; Tue, 19 Jun 90 08:06:42 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA28875; Tue, 19 Jun 90 08:06:39 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA02367; Tue, 19 Jun 90 08:06:30 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa12808; 19 Jun 90 12:37 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Tue, 19 Jun 90 09:41:08 BST Message-Id: <$TGWFCWKBBCTZ at UMPA> Subject: Here is Virus-L vol 0 #0913 Virus-L Digest Tue, 13 Sep 88, Volume 0 : Issue #0913 Today's Topics data/code Virus research paper by ex-Lehigh student Re: Virus research paper by ex-Lehigh student Dual CRCs Re: Infecting "Good" Viruses Re: Dual CRCs Re: Virus research paper by ex-Lehigh student Re: Infecting "Good" Viruses Re: Infecting "Good" Viruses CRCs ------------------------------ Date: Tue, 13 Sep 88 02:49:43 EDT From: me! Jefferson Ogata Subject: data/code People seem to talk quite glibly of the distinction between data and procedure around here. What's your dividing line? One man's data is another man's procedure... - Jeff Ogata -------------------- Date: Tue, 13 Sep 88 04:38:10 EDT From: David.Slonosky@QUEENSU.CA Subject: Virus research paper by ex-Lehigh student In-Reply-To: This is an impressive summary of what has been discussed on this list for the past six months (or so). Is this material copyrighted, or are we free to distribute it? __________________________________ David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | |__________________________________| -------------------- Date: Tue, 13 Sep 88 07:51:09 EDT From: Ken van Wyk Subject: Re: Virus research paper by ex-Lehigh student In-Reply-To: Your message of Tue, 13 Sep 88 04:38:10 EDT > This is an impressive summary of what has been discussed > on this list for the past six months (or so). Is this material > copyrighted, or are we free to distribute it? It's not surprising that Mr. Kiels paper reflects a lot of what has been discussed here; he used VIRUS-L as a major source of information for his paper. Steve gave me permission to "do with it as I please", so I sent it out to VIRUS-L. He did want me to keep any responses that I receive so that he can read the reactions of our readers. Anyway, I don't see any problem with distributing it in its original form, as long as you give credit to Steve and his co-author. Ken Kenneth R. van Wyk Calvin: Ever consider the end of the User Services Senior Consultant world as we know it? Lehigh University Computing Center Hobbes: You mean nuclear war? Internet: Calvin: I think Mom was referring to if I BITNET: let the air out of the car tires again. -------------------- Date: Tue, 13 Sep 88 09:51:00 EDT From: EAE114@URIMVS Subject: Dual CRCs < It IS possible for two different programs to have the same CRC for < two different polynmials. True, for any reasonable polynomials, but it gets harder very quickly as you add more polynomials. Esp. to do it on purpose. Has anybody seen or heard of any virus designed to pass a CRC check? Or is this more work than the casual psychopath is willing to incur? EAE114@URIMVS (ERISTIC) -------------------- Date: Tue, 13 Sep 88 09:21:01 CDT From: Len Levine Subject: Re: Infecting "Good" Viruses In-Reply-To: Message from "Bernie" of Sep 12, 88 at 8:30 am >I'm thinking more of viri which hide themselves on unused sectors. >Mind, running a utility that erases all unused sectors and checks all >files against the vtoc would be just as effective? Not unless you have a map of all bad sectors to check against. The virus could just as well hide in sectors that it had marked as bad in the FAT. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 13 Sep 88 10:56:52 EDT From: ENGNBSC@BUACCA Subject: Re: Dual CRCs In-Reply-To: Message of Tue, 13 Sep 88 09:51:00 EDT "Casual psychopath" - that's a contradiction in terms... Also a dangerous assumption, I am sure there is at least one "professional" psychopath out there... -------------------- Date: Tue, 13 Sep 88 11:12:36 CDT From: Len Levine Subject: Re: Virus research paper by ex-Lehigh student In-Reply-To: Message from "Ken van Wyk" of Sep 13, 88 at 7:51 am >> This is an impressive summary of what has been discussed >> on this list for the past six months (or so). Is this material >> copyrighted, or are we free to distribute it? >It's not surprising that Mr. Kiels paper reflects a lot of what has >been discussed here; he used VIRUS-L as a major source of information >for his paper. >Steve gave me permission to "do with it as I please", so I sent it out >to VIRUS-L. He did want me to keep any responses that I receive so >that he can read the reactions of our readers. Anyway, I don't see >any problem with distributing it in its original form, as long as you >give credit to Steve and his co-author. >Ken It is an excellent piece of work and I will be using it (credited) in a paper I am giving this week. Many thanks. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 13 Sep 88 12:29:20 EDT From: Bob Babcock Subject: Re: Infecting "Good" Viruses In-Reply-To: len@EVAX.MILW.WISC.EDU message of Tue, 13 Sep 88 09:21:01 CDT >>I'm thinking more of viri which hide themselves on unused sectors. >>Mind, running a utility that erases all unused sectors and checks all >>files against the vtoc would be just as effective? >Not unless you have a map of all bad sectors to check against. The >virus could just as well hide in sectors that it had marked as bad in >the FAT. On a standard 360K floppy disk, a virus could make space to hide most of its code by formating tracks with 10 rather than the usual 9 sectors. I know that this works because my odd-ball MS-DOS system supports 10 sector per track disk formats. There are programs which can look for non-standard sector numbers, but unless you know the sector number, you have to try every one up to 255, and that is very time consuming. You can get some protection by not accepting any disks with bad sectors. This is perhaps impractical to require for hard disks, but floppy disks are so cheap that you can just throw away any that aren't perfect. This might even be a good idea for protection against data loss due to marginal media, which is probably more likely than a virus infection. (My floppy formating program does not have the capability of marking bad sectors, so it rejects imperfect disks. Even buying generic disks, I only reject 1-2%.) -------------------- Date: Tue, 13 Sep 88 14:18:57 CDT From: Len Levine Subject: Re: Infecting "Good" Viruses In-Reply-To: Message from "Bob Babcock" of Sep 13, 88 at 12:29 (noon) > ... >On a standard 360K floppy disk, a virus could make space to hide >most of its code by formating tracks with 10 rather than the >usual 9 sectors. I know that this works because my odd-ball >MS-DOS system supports 10 sector per track disk formats. There >are programs which can look for non-standard sector numbers, but >unless you know the sector number, you have to try every one up >to 255, and that is very time consuming. >You can get some protection by not accepting any disks with bad sectors. I what you say above is true, then no protection is good enough, since the drive would show no bad sectors and still have 10% overspace for use by the bad guys. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Tue, 13 Sep 88 17:18:40 EDT From: brian bulkowski Subject: CRCs First, having two CRCs instead of one doesn't help all that much. Remember that CRC's are polynomials, thus if you pick to prime CRCs there is a single CRC that is the same, just not prime. Second, if you publish the algorythm and the CRC it wouldn't be hard to have a virus that has the same CRC and attacks only that one program. (The algorythm I would use would be: if in program X, infect anything you can find. If you are in any other program, look for X, if you can find an uninfected one, infect it and disinfect yourself) I don't find this hard at all. BUT, if you also publish the LENGTH of the code, it would be MUCH MUCH harder, assuming there is no easy to find empty space in the code. You would have to pervert existing code along the lines of the CRC but retain functionality of the program. What I would do to go around that is to take a relativly unused portion of the program and overlay it. This, however, is user noticable (although they may quickly suspect a virus). Using the CRC means that the virus would probably have to be longer to make the CRC come out right, and I think CRC algorythms should exploit this to be hard on virus writers. Like doing the CRC on only the first bit of a long word, meaning that to get the CRC right many long words *may* be needed. Does anyone know enough math on this list to know how to calculate how long the "fudge factor" - extra bytes to make the CRC come out right - would have to be for a given CRC polynomial? That's the question. Yours Virtually, Brian B. -------------------- *** end of Virus-L issue ***