Return-Path: XPUM04@prime-a.central-services.umist.ac.uk Received: from G.SEI.CMU.EDU by ubu.cert.sei.cmu.edu (5.61/2.3) id AA04516; Wed, 20 Jun 90 17:26:07 -0400 Received: from SEI.CMU.EDU by g.sei.cmu.edu (5.61/2.5) id AA07107; Wed, 20 Jun 90 17:26:05 -0400 Received: from nsfnet-relay.ac.uk by sei.cmu.edu (5.61/2.3) id AA23351; Wed, 20 Jun 90 17:25:54 -0400 Received: from sun.nsfnet-relay.ac.uk by vax.NSFnet-Relay.AC.UK via Janet with NIFTP id aa23232; 20 Jun 90 16:21 BST From: Anthony Appleyard To: DAVIDF@cs.heriot-watt.ac.uk Date: Wed, 20 Jun 90 16:32:52 BST Message-Id: <$TGWGCZNQBTQT at UMPA> Subject: Virus-L vol 0 issue #1019 Virus-L Digest Wed, 19 Oct 88, Volume 0 : Issue #1019 Today's Topics Re:Infected Peripherals Re:Peripherals Infecting a LaserWriter (was: Infected Peripherals) peripherals again RE: Hardware Virus PostScript and Viruses/Trojans Great ideas! RE: Great ideas! Re: Are so-called protected systems protected against viruses? RE: Re: I am proud to be a hacker! peripherals again Re: hardware virus ------------------------------ Date: Wed, 19 Oct 88 02:32:00 EST From: ACS045@GMUVAX Subject: Re:Infected Peripherals >From: portal!cup.portal.com!dan-hankins@SUN.COM >Subject: Infected peripherals >To: Steve Okay >Jefferson Ogata writes: >>The nature of the data used for these peripherals -- fonts, protocols, et >>al. -- is not rich enough to provide for self-replicating code, or even >>damaging code. In general, the worst a program could do with a laser >>printer is install a bad font, which would be stomped if a good font got >>loaded on top of it. > The Apple LaserWriter uses PostScript. PostScript is a complete >programming language. The LaserWriter has a *significant* amount of memory >on board, like a meg or two (I seem to remember it being a meg when I >worked with one in 1986). I can very easily imagine a virus written in >PostScript infecting a LaserWriter. >Dan Hankins Which was sort of my original point, particularily with regards to laser printers. I'm a big TeX and LaTeX nut myself and it gobbles memory for breakfast, and since the peripheral is the point here, PC or mainframe isn't really that much of an issue. So, not only do you have a big huge chunk of memory, but you've got something thats actually portable too...e.g. if you're writing it in something like TeX or Postscript, you've got something that can live in both a PC and multi-user environment, since the original code is based on a standardized version(This is true at least w/ TeX...I've used an AT to TeX out files when our VAX's LN03 was down of the software it was programmed in. Hows that for migration possibilities??? As for wiping it out on the next font load, don't most lasers have a chunk of memory reserved specifically for default or standard fonts that are always available, even when not switched on??? Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source. "Ahhh...the keyboard, how quaint!'' -------------------- Date: Wed, 19 Oct 88 02:57:00 EST From: ACS045@GMUVAX Subject: Re:Peripherals >From: KEENAN@UNCAMULT >Mainframe peripherals often have a very rich instruction set. As an >example, tape drives are firmware-controlled and are basically >computers, hence indeed subject to viral infection. We had a case once >in which we lost the firmware in a tape drive and it kept a $3M computer >off the air until we figured out how to put the firmware back in (via a >card reader of all things...) so the loss of a peripheral in some cases >could be quite serious. You don't even need a mainframe, or even a large PC to be able to infect a peripheral. All it takes is a C-64. The 1541 disk drive had a bank of 4k of RAM and its own 6502. One method of copy protection used to be to write a small part of the protection scheme into that area, and then have the loader check for it, if it wasn't there, it'd assume a copy and freeze up. A little off the track there, but nevertheless a good example of what you can do with a little space and some clever programming. Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2.gmu.edu/CSR032 on The Source "Ahhh....the keyboard..how quaint'' -------------------- Date: Wed, 19 Oct 88 09:54:10 EDT From: Joe McMahon Subject: Infecting a LaserWriter (was: Infected Peripherals) In-Reply-To: Message of Wed, 19 Oct 88 02:32:00 EST from LaserWriter users should remember that the LaserPrep file is downloaded to the LaserWriter prior to any printing. It would be possible to install a Trojan Horse in this code quite easily. With the new LaserWriter NTX, it might be possible to store this code on the machine's hard drive. Anyone know whether this is possible? As far as a virus, however, you would have to have a file-access mechanism in place to actually spread this virus back from the LaserWriter to the host machine. On top of this, the virus would need to be able to find out what kind of machine it is trying to infect. Does AppleTalk have such a call? In general, IMHO, I think you might have to watch out for Trojan PostScript, but probably not viral PostScript. Are there any AppleTalk aficionados or PostScript hackers out there who can tell us more? - - Joe M. -------------------- Date: Wed, 19 Oct 88 08:53:27 EDT From: me! Jefferson Ogata Subject: peripherals again Wow. Looks like there's a lot of weird stuff out there I've never heard of. But ain't it always that way? A virus in Postscript seems like a viable idea. But a point I meant to make and forgot was this: what's the point? Most of the time, stuff gets downloaded to the printer. Now a virus can infect it all it likes, but it's gonna get wiped as soon as the printer is turned off. (There's no reason for page memory to be non-volatile. In fact, quite the con- trary.) I mean, what's it going to infect? There's just the one program; all a virus could really do is hang your printer until you power-cycle it. And there are plenty of other ways to hang a printer. As far as printers are concerned, what's the practical difference between writing a virus and writing a non-terminating Postscript program? It's not clear to me what the virus-writer would achieve by writing a virus for a printer. However, a Postscript virus would have a larger breeding ground; it could infect other Postscript files when a host previewer gets run on it. And in NeWS, there are lots more possibilities, since NeWS is Postscript driven (+X11). Another thing that is unclear to me is how a virus could infect peripheral firmware. (Unless it was there when the firmware was produced.) - Jeff Ogata -------------------- Date: Wed, 19 Oct 88 08:38:00 MDT From: Kent Cearley - UMS - 492-5262 Subject: RE: Hardware Virus There are certain symbiotic relationships between device drivers, cpus, and peripherals that might make an infection more viable than it first appears. For example, some classes of device drivers allow a terminal to execute any program via an escape sequence followed by a command code and the programs name and parameters. This was a particular philosophy for dynamically reconfiguring device characteristics. Combine this with say, a programmable printer, which when prompted with a sequence from the host to identify printer type, sends the string with an escape sequence and a destructive procedure call, or a modem which has this same string defined as a setup sequence. While it is true that many hardware devices use RAM memory only for data, there are contexts ala von nuemann where data can become instruction. Perhaps the caveat is something Korzybski used to say, "You can never say everything there is to say about anything" *-----------------------------------------------------------------------* | Kent Cearley | CEARLEY_K@COLORADO.BITNET | | Management Systems | | | University of Colorado | Q: "How many surrealists does it | | Campus Box 50 | take to change a light bulb?" | | Boulder, CO 80309 | | | | A: "Fish." | *-----------------------------------------------------------------------* -------------------- Date: Wed, 19 Oct 88 17:57:00 URZ From: BG0@DHDURZ2 Subject: PostScript and Viruses/Trojans Hi folks, as mentioned correctly by some people there seems to be no way to write a virus that is able to spread back to the computer and its storage devices. But there is another problem with PostScript printers: You can damage a PostScript printer by programming it in the wrong way so that you have to send it in to the producer. So it is possible to write a virus that can find out if a PostScript printer is installed and than damages the printer by programm (I don't want to elaborate on this, but it is possible). As far as I know *no* anti-virus programm prevents this... All the best, Bernd. -------------------- Date: Wed, 19 Oct 88 11:26:00 MST From: Michael Kielsky Subject: Great ideas! I am glad that I subscribed to this list! The number of great new ideas for writing viruses is inspiring! If I were gifted enough to be able to create a virus, this would certainly be the place to get new ideas. Michael Kielsky P.S. There were some :-)s implied. Some. -------------------- Date: Wed, 19 Oct 88 14:53:00 EDT From: Paul Coen Subject: RE: Great ideas! >I am glad that I subscribed to this list! The number of great new ideas for >writing viruses is inspiring! If I were gifted enough to be able to create >a virus, this would certainly be the place to get new ideas. >Michael Kielsky >P.S. There were some :-)s implied. Some. I certainly hope that the attitude of "don't discuss it and nobody will do it" is not common in this discussion. Has avoiding sex ed in this country decreased the number of adolescents who engage in sex? No. All it's done is given us a higher pregnancy rate than our European friends such as Sweeden, France, etc. If it didn't work in this case, what makes anyone think it will work as far as computer viruses are concerned? Give people the best information possible so they can combat viruses. If someone is talented and malicious, they don't need the subscribers of this list for their ideas. They'd be perfectly capable of writing a virus on their own. Ignorance is more dangerous than knowledge. +----------------------------------------------------------------------------+\ | Paul R. Coen | \ | Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, | | | PCOEN@DREW Madison, NJ 07940 | | | Just because you can't see it doesn't mean it isn't there! | | +----------------------------------------------------------------------------+ | \ \| \_____________________________________________________________________________\ -------------------- Date: Wed, 19 Oct 88 13:56:14 CDT From: Len Levine Subject: Re: Are so-called protected systems protected against viruses? In an article Dan Hankins writes: >In article Len Levine writes: >> [..] >>In an unprotected system, no such security is possible. > Wrong. > On an unprotected system (i.e. single-user micro) one does this: >[..] > This is actually *more* secure than the multiuser scenario you >described. In your scenario a virus could be sensitive to restricted >environments and not do anything nasty until run in a 'target-rich' >environment. In mine it is running on what appears to be an ordinary >working system. > My scheme is beatable also, in several ways. But the user privs and >suchlike do *not* give the protected multi-user system more security than >the unprotected single-user variety. How embarassing. Dan Hankins makes a very good point here. There is no difference in the level of protection between the two systems for anyone who has systemic authority in a secure environment. For the low level user, however, there is less to worry about on the protected system with respect to his own errors, more with respect to errors of the administrator. Let me lick my wounds and work on this some more. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U.S.A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -------------------- Date: Wed, 19 Oct 88 15:24:00 EST From: "Jerry Leichter (LEICHTER-JERRY@CS.YALE.EDU)" Subject: RE: Re: I am proud to be a hacker! BTW, another alternative to look at is Gnu C, which we have various copies of around. It is based on a lexer generator and Bison, a YACC rip-off. -- Jerry -------------------- Date: Wed, 19 Oct 88 18:20:07 EDT From: SHERK@UMDD Subject: peripherals again In-Reply-To: Message received on Wed, 19 Oct 88 10:35:27 EDT Jefferson Ogata writes.... >A virus in Postscript seems like a viable idea. But a point I meant to >make and forgot was this: what's the point? Most of the time, stuff >gets downloaded to the printer. Now a virus can infect it all it likes, >but it's gonna get wiped as soon as the printer is turned off. (There's >no reason for page memory to be non-volatile. In fact, quite the con- >trary.) I mean, what's it going to infect? There's just the one >program; all a virus could really do is hang your printer until you >power-cycle it. And there are plenty of other ways to hang a printer. >As far as printers are concerned, what's the practical difference I can see that you are from the land of Unix, where hosts and printers have a master/slave relationship. But on Apple Talk each node has a peer to peer relationship. Thus, a LaserWriter, with appropriate virus code, could act like a fileserver with infected programs. Erik Sherk, Workstation Programmer, Computer Science Center University of Maryland -------------------- Date: Wed, 19 Oct 88 18:38:09 EDT From: me! Jefferson Ogata Subject: Re: hardware virus >a la von neumann, where data can become instruction... In some sense, data is ALWAYS instruction. That is, 'data' defines the control flow of some virtual machine defined and modeled by the 'code'. Simple example: grep; data is a program saying to print out lines that conform to certain restrictions. This semantic model of programs as machines holds for any program, though it gets obscure in many cases. However, the main question is: does the language of the 'data' provide adequate semantics to alter other 'programs'? In some circumstances, the answer is yes. Grep output, when piped through another grep, becomes another program with different output. Compiler input becomes a program that can run directly on the target machine. Both are forms of 'data' that can actuate control of the machine. Now given the idea of interactive, very smart peripherals, one can analyze whether the controls initiated by the peripherals are adequate for modifying the GENERAL behavior of some unrelated program. This essentially qualifies as virus infection, particularly if the modified behavior includes modification of further programs' behavior. If, however, the semantics of the peripheral control only allow damage or reprogramming of other peripherals, especially in a one-way fashion, it is more like Trojan damage. And the latter may require host program modification in order for it to occur. But this note is getting kind of dull. - Jeff Ogata -------------------- *** end of Virus-L issue ***