VIRUS-L Digest Tuesday, 10 Jan 1989 Volume 2 : Issue 9
Today's Topics:
A Humorous? Virus Report from Security List
Re: Friday the 13th viruses
Re: Disk Protection (Mac)
On having a "false sense of security"
Security/Virii Article
Disk protection (Mac)
Mac Write Protect Is Hardware
---------------------------------------------------------------------------
Date: Tue, 10 Jan 89 08:01:13 EST
From:
[email protected] (Mark Robert Smith)
Subject: A Humorous? Virus Report from Security List
[Ed. The following forwarded message is obviously another prank, like
the modem virus. I'm including it here because a) it was sent in by a
reader, and b) it serves as yet another perfectly good example that we
can't trust everything that we read. I suppose the appropriate caveat
here is that we have to take *any* report of a virus until it can be
verified.]
Forwarded from the VirusBoard BBS at (225) 617-0862 [sic]
Date: 11-31-88 (24:60) Number: 32769
To: ALL Refer#: NONE
From: ROBERT MORRIS III Read: (N/A)
Subj: VIRUS ALERT Status: PUBLIC MESSAGE
Warning: There's a new virus on the loose that's worse than anything
I've seen before! It gets in through the power line, riding on the
powerline 60 Hz subcarrier. It works by changing the serial port
pinouts, and by reversing the direction one's disks spin. Over
300,000 systems have been hit by it here in Murphy, West Dakota alone!
And that's just in the last twelve minutes.
It attacks DOS, Unix, TOPS-20, Apple II, VMS, MVS, Multics, Mac,
RSX-11, ITS, TRS-80, and VHS systems.
To prevent the spread of this dastardly worm:
1) Don't use the powerline.
2) Don't use batteries either, since there are rumors that this virus
has invaded most major battery plants and is infecting the positive
poles of the batteries. (You might try hooking up just the
negative pole.)
3) Don't upload or download files.
4) Don't store files on floppy disks or hard disks.
5) Don't read messages. Not even this one!
6) Don't use serial ports, modems, or phone lines.
7) Don't use keyboards, screens, or printers.
8) Don't use switches, CPUs, memories, microprocessors, or mainframes.
9) Don't use electric lights, electric or gas heat or airconditioning,
running water, writing, fire, clothing, or the wheel.
I'm sure if we are all careful to follow these 9 easy steps, this
virus can be eradicated, and the precious electronic fluids of our
computers can be kept pure.
- --RTM III
------------------------------
Date: Tue, 10 Jan 89 16:52:10 +0200
From: Y. Radai <
[email protected]>
Subject: Re: Friday the 13th viruses
Mark Smith asks for info on "virii" [viruses] that act on Friday the
13th. Well, if you're afraid that a virus will do damage on such a
date (or any other specific date), the simplest thing you can do is
either not to use your computer on that date or else to fake the date.
If you have a clock/calendar card, however, you have to be careful,
since if your boot sector or one of your system files or one of the
files in your AUTOEXEC.BAT file is infected, by the time you get a
chance to fake the date, the actual date may already have been taken
into account by the virus. Hence if you wish to work on that date,
fake the date *one day earlier*.
As for detecting/removing viruses, that depends on which virus you
have. If you have good reason to think you have the Israeli
Friday-the-13th virus, I can send you programs to eradicate it and to
prevent future infection. (In order to tell if you have this virus,
run your most frequently executed EXE program twice. If its size is
increased by 1808 or 3616 bytes, you can assume you've got that
virus.)
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Tue, 10 Jan 89 13:29 GMT
From: Danny Schwendener <SEKRETARIAT@CZHETH5A>
Subject: Re: Disk Protection (Mac)
>there is a DiskLock DA that simulates the locking of a disk via
>software. This includes the ability to lock a hard drive through
>software. Does this mean that the MAC is just as susceptible to
>viruses over-riding the write protection tab or is software just
>written to add the additional possibility of protecting hard drives?
The Macintosh File System allows both software and hardware device
locking. Hardware locking PHYSICALLY disables write access to the
disk. There is NO WAY for a virus to erase or write anything on a
floppy with an open protection tab.
If the "software lock enabled" flag in the Disk's boot blocks is set,
the File Manager assumes that the disks's driver contains code to
handle software locking, i.e. the write and format routines first
check another flag (the "volume locked" flag) in the boot blocks
before they perform their task. For those who don't know the
Macintosh's internals, the File Manager regroups all OS calls used by
a program to access a disk.
In a normal disk configuration, each disk has its own driver code
hidden in the disk's boot blocks. When a disk is mounted, the File
System loads the driver into memory. When a program wants to access a
disk, the File Manager handles the high-level tasks (file and
directory operations), but hands block read/write and disk format
requests to that disk's driver.
A virus could however bypass this command handling: it only needs to
have its own driver code. As most Macintosh disks on the market
currently are SCSI disks, and there are several SCSI driver sources in
the public domain, this should not be a problem.
In other words, DON'T TRUST IN SOFTWARE LOCKING AS VIRUS/WORM/TROJAN
PROTECTION. Software locking is useful to prevent accidental
overwriting of your applications and documents. It is not a long-term
protection against purposely ill-behaving programs.
Note: the mentioned DiskLock DA does not use the software locking
procedure explained above. Instead, it intercepts the File
Manager's calls to the driver and performs its own lock checking.
- -- Danny Schwendener
+-----------------------------------------------------------------------+
| Mail : Danny Schwendener, ETH Macintosh Support |
| Swiss Federal Institute of Technology, CH-8092 Zuerich |
| Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman |
| Ean :
[email protected] Voice : yodel three times |
+-----------------------------------------------------------------------+
------------------------------
Date: Tue, 10 Jan 89 15:36:14 +0200
From: Y. Radai <
[email protected]>
Subject: On having a "false sense of security"
In V1 #59c and V2 #5 Dimitri Vulis posted three articles which, on
the whole, I consider excellent. However, there was one paragraph
which seemed to me a bit illogical, and another which contained what I
consider to be a significant inaccuracy. The first was:
>Both of these programs [TRAPDISK & HDSENTRY] (and others like them) are
>_extremely_dangerous_. They give the user a false sense of security,
>while it fact they provide _very_ _little_protection. They offer some
>protection against amateurish benign programs, like Brain, that are
>not really trying to destroy any data. They would not work against
>something like ARC 5.13, which called BIOS through CALL, not via INT,
>and you are more likely to run something like it, because you believe
>that you're protected, and use less discretion in deciding what to run
>on your machine.
Were it not for the fact that I have seen this sort of opinion
expressed several times before, I probably wouldn't have felt the need
to react to it in print now. But the effect seems to be cumulative
and now I feel I've seen this "false sense of security" argument once
too many. Suppose someone were to argue as follows: "There's no point
in locking the doors of your house or car, since a sufficiently clever
burglar can break into either of them. Locking them just gives you a
false sense of security ...."
What would you think of such an argument? I'm willing to bet that
Dimitri and others who have expressed the above opinion concerning
computer software do lock their houses and cars. Why, then, do they
preach differently in the case of anti-viral software?
I don't agree that such programs provide very little protection. I
think that the viruses (and worms and Trojans) against which they do
afford protection (they may be "amateurish" but they're not
necessarily benign!) are still in the majority (at least among those
viruses which have become widespread). And I think that it is well
worth protecting oneself against them, even if more sophisticated
viruses exist as well and will become more prevalent in the future.
Now I am well aware that no software can give complete security
against all conceivable viruses. A month ago, I posted an appraisal
of FSP, in which I mentioned several shortcomings which I found in it,
including ways of circumventing it. Yet *I continue to use it*
because there exist *many* infections which it *can* detect and
prevent. I also use PROTECT (which is roughly like the two programs
mentioned at the beginning), and a good checksum pro- gram (to detect
all virus propagation). (I'm considering using hard- ware protection
also.) I know that none of these can prevent all con- ceivable
viruses under all conditions. But I still think I'm safer using any
given one of them than not using it.
The only argument which Dimitri gives for his statement is that one
might be lulled into using less discretion in deciding what to run on
his machine. Now I would understand this argument in a situation
where anti-viral software is sold to naive customers under the false
pretense that it will prevent all types of infection. But are we so
naive? To give the impression, as Dimitri does, that it is worse to
use such software than not to use it, is certainly not correct in
general. He doesn't explain just what his notion of discretion
consists of, but whatever it may be, why can't we use *both*
anti-viral software *and* discretion ....??
The other point: In V2 #5, Dimitri wrote:
> ... it reads in the beginning of the directory and checks that
>the first 2 files are IBMBIO.COM and IBMDOS.COM (for PC-DOS) or IO.SYS
>and MSDOS.SYS (for generic MS-DOS). ....
>If these files are there, it reads (using INT 13) the first one (DOS
>low-level routines, _not_ BIOS---BIOS is in ROM!) into memory, usually
>at 70:0, and jumps there. IBMBIO.COM then loads the rest of DOS.
The clause "it reads ... the first one [i.e. IBMBIO.COM or IO.SYS]
into memory" is not quite accurate. It seems that what actually
happens is that the disk bootstrap routine loads a certain number of
sectors, starting from the beginning of the data area, into RAM, under
the *assumption* that these contain IBMBIO.COM/IO.SYS. Depending on
the implementation, it may also do the same with the following sectors
on the assumption that they contain IBMDOS.COM/MSDOS.SYS, or else the
former program may load the latter. But if the disk has been tampered
with, it is not necessarily these two files which will get loaded.
Y. Radai
Hebrew Univ. of Jerusalem
------------------------------
Date: Tue, 10 Jan 89 13:26 EST
From: "ROBERT M. HAMER" <
[email protected]>
Subject: Security/Virii Article
In the January 9 isue of InfoWorld, on page S1, continuing for 5 or 6
pages, there are several articles on computer security, viruses, worms,
etc, including a discussion of the now-famous Internet worm.
------------------------------
Date: Tue, 10 Jan 89 10:56 MST
From: "Richard Johnson <JOHNSON_RJ%
[email protected]>
Subject: Disk protection (Mac)
> There is much talk about disk protection for the IBM systems. Does
> anyone have any Information relating to the MAC system? ...
> Does this mean that the MAC is just as susceptible to viruses
> over-riding the write protection tab or is software just written to
> add the additional possibility of protecting hard drives?
> Scott.
I assume that by disk protection you mean something along the lines of
write protection. 400K and 800K Mac floppy drives from Apple use a
pin that tries to fit through the write protect hole on 3.5" disks (at
least my drives do). I don't have the drive schematics, but the
presence of that pin says to me that write protection on a 3.5" floppy
is done in hardware.
Hard drives are another matter. I know of no hard drive that can be
write-protected via a hardware switch like a floppy drive write
protect. All hard drive write protection I've seen for Macs is done
in software. What can be done in software can be gotten around later.
Of course, with the healthy number of different SCSI drivers out
there, a virus that knows how to talk to all of them will be larger
than a virus that just uses disk or file manager calls.
Richard <
[email protected]>
* Disclaimer: Since I'm self-employed, these *
* opinions aren't necessarily those of my employer *
------------------------------
Date: Tue, 10 Jan 89 15:50:20 EST
From: Joe McMahon <
[email protected]>
Subject: Mac Write Protect Is Hardware
The title says it all. Mac write protect for floppies is hardware and
cannot be subverted by software according to Apple. Hard disks are
another matter.
Why don't Mac manufacturers add on a "Write Protect" switch? Seems
simple enough.
- --- Joe M.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253
