[1356] (558 lines) Network_Server.Daemon 06/14/90 1329.7 edt Thu VIRUS-L

[1356] (558 lines) Network_Server.Daemon 06/14/90 1329.7 edt Thu VIRUS-L
Subject: VIRUS-L Digest V3 #113
From: [email protected]

VIRUS-L Digest Thursday, 14 Jun 1990 Volume 3 : Issue 113

Today's Topics:

re: - Viruses and Solutions (PC?)
Re: First jailed UK computer hacker
Anti-viral philosophies
Re: Hardware security
Re: Hardware protection
RE: Documented mainframe attacks (IBM Mainframe)
Re: Possible virus (PC)
need virus-l undigestifier for PC or MAC
New Stoned Virus Strains and Killer Available (PC)
George of the Jungle: Not to worry? (Mac)
Password Standards Checking
UnVirus 9.02 (PC)
Is This a Virus? (PC)
Re: - Virus's and Solutions

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to [email protected] (that's equivalent to
LEHIIBM1.BITNET for BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

Ken van Wyk

---------------------------------------------------------------------------

Date: 12 Jun 90 12:06:04 -0400
From: "David.M.Chess" <[email protected]>
Subject: re: - Viruses and Solutions (PC?)

Azim Syed <[email protected]>:
> q2. Virus lives in memory when you put system off you can't get rod
> off it, It will go to clock ROM chip!! Is there any solution other
> than disconnecting battery??

I've never seen such a virus, although people like to talk about
the possibility. It seems very very unlikely to me; at least
in IBM-supplied systems, the clock memory (battery-supplied CMOS
RAM, not ROM), is very small, and is in the I/O space, not the
memory space. There's nothing in the system that will execute
code stored there, even if there were room for a virus. So
I wouldn't worry about it too hard, myself! Of course, if you
have a file that you think actually contains such a virus, I'd
be very interested to see it. But rumors are only worth what
they cost... DC

------------------------------

Date: Tue, 12 Jun 90 15:56:15 +0000
From: [email protected]
Subject: Re: First jailed UK computer hacker

"The Times" of London carried the following report on Friday, 9th June 1990

Headline: Prison for "mad hacker"

>A teenage computer hacker who broke into university systems and destroyed
>vast amounts of material was yesterday jailed for four months. Nicholas,
>Whitely now aged 21, called himself "the mad hacker" and waged his six-month
>war in 1988 from a home computer in his bedroom.

What purpose is served by sending Whiteley to prison for 4 months or for
1 year? He will now be locked with two other inmates in a cell designed
for one person for a substantial majority of the day at one of Her Majesty's
Universities of Crime. What should we expect him to do except pass on his
rare skills to other felons?

Why was there no Community Service Order which would have obliged him to
spend all his spare time undertaking positive actions to the society which
he had damaged? Once free from gaol he will have all the time in the world
.. to continue hacking.

Why were the prosecution denied their request for costs? Since it appears
Whiteley can return to work at the Opera, a weekly decuction towards costs
(although no more than a flea-bite towards the actual costs) would seem
in order.

I'm not sure about confiscating his computer - but I can understand the
argument.

On the surface it does not seem to be a brilliant day for the British
judiciary. Perhaps the judge thinks that hacking has something to do with
riding horses ...

Ian Leitch
Head of Computing Services
London School of Hygiene and Tropical Medicine

------------------------------

Date: Tue, 12 Jun 90 13:39:05 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: Anti-viral philosophies

> Like to get some opinions on this one. If you could only get
>one program for your pc/pc-xt/pc-at or clone, what would it be?

This is a question that keeps coming up and while I agree that
McAfee's products are the best for someone who knows what they are doing,
they are not products that are suitable for environments with vast numbers
of PCs and semi-educated users, rather they are ones that the technicians
should use as part of their toolkits to diagnose & repair problems. There
are several reasons for this:

1) Can you imagine trying to install monthly updates on 5000 PCs. If you can,
where do you get funding for the diskettes/labour ?
2) These utilities require a fair amount of knowlege to use e.g. use of the
/d option will erase infected files that might be copy protected/install
once programs while not using /M or /A may miss some infections.
3) Indescriminant use will wipe out any hope of determining the infection
vector.

What I prefer is a package that resides in the background of the user's
PC and reports any change to the environment with no appreciable hit to
performance (SCAN can take over ten minutes to process a 40 Mb disk now and if
LZEXE-type compression is used can extend this materially).

Such a package should be able to check the environment that exists
when invoked (to catch boot sector infectors & previous infections), should
flag immediately an attempt to run an "unknown" program, maintain signatures
of "approved" executables, and create an audit trail for any changes.

This would require three classes of machine:
1) Restricted: can run only files currently on system.
2) Privileged: can add files to system, runs new files after authentication.
3) Development: can run new files from certain drives/directories without
authentication.

Not that none of this requires authentication of the user, there are
many other products that will do this, rather it allows execution only of
authenticated files in an authenticated system. Should a deviation occur,
the event is flagged on the screen and a menu is presented depending on class.

When an event occurs that indicates an unauthorized change has taken
place, then is the time for a tech to come out with SCAN and other tools to
determine what has happened, all the resident tool is required to do is to
determine that SOMETHING unauthorized has happened.

Note that no attempt is made to block any specific malicious software,
rather ALL un-authenticated software is treated as suspect. Additionally, if
a virus is passed, a trail is created and detection of an environmental change
is flagged.

It would seem that most of the advanced anti-viral researchers, being
"power-users" have developed single-stage tools for their individual needs,
not the for corporate/govenmental/educational environment that is better served
by multi-stage tool sets. There are a few such tools available, but they are
in the minority.

------------------------------

Date: Tue, 12 Jun 90 14:00:08 -0400
From: Valdis Kletnieks <[email protected]>
Subject: Re: Hardware security

>There!!! In less than two minutes in your office, I can steal
>confidential files off your hard drive that you THOUGHT were protected
>by hardware protection.

Actually, I don't lock my office.. we have those 5 foot high partitions
around here. But anyhow - a moment's though shows that leaving the door
*OPEN* may be more secure - if everybody EXPECTS the office to be empty
and locked, nobody will check - but if it's supposed to be empty and the
door open, the case of 'door open and guy kneeling in plain sight
ripping open my PS/2' is pretty obvious to the other programmers walking
by.....

My point was: If you have enough time to get into my office and pop the
covers, you could walk out with all of the following:

The ethernet board, the 8514 driver board, the 8M memory board, the hard
disk controller, and the 300M hard disk. Pop the boards, put them into
your pocket, drive goes under your jacket.

You've just walked off with all my confidential files, plus a lot of
nice hardware. Decode the files at home at your leisure.

Of course, if I was gonna go this far, I'd just dress like a deliveryman,
bring in a dolly, put the PS/2 on it, put a cardboard box over it, and
take the whole damned thing....

I repeat - if the enemy can physically walk off with it, it doesn't MATTER
if there's some silly-ass battery-backup password on it - they'll have all
weekend to poke at it on their workbench.

>From all accounts I've heard, the major problem with PC's in
public-access terminal rooms is *not* people opening them up and
sabotaging them, but people figuring out how to unbolt them from the
table and walking away with the whole machine...

Physical security is nice - let's just make sure we're defending against
the right problem...

Valdis Kletnieks

------------------------------

Date: Tue, 12 Jun 90 15:01:17 -0400
From: padgett%[email protected] (A. Padgett Peterson)
Subject: Re: Hardware protection

G. L Warner writes:

>From: <[email protected]>
>What is the point of having hardware protection if it is so easy to defeat!

The following is a posting made in reference to the "boot from floppy vs
hard disk" conflict with reguard to viruses. I feel that it has use here:

To me, the most secure method would be a boot from a protected floppy
that initiates the checking/authentication routine before leaving the floppy
(realize that I avoid hardware approaches which though better involve $$$.
Floppies are cheap). The next level would use a non-DOS hard disk only
accessable with a special device driver only on the floppy (multiple backups
are a good idea). Seagate's DM program for formatting disks permits this and is
easy to obtain. This way, even if someone booted from another floppy, the hard
disk would not be accessable.
Beyond this, we get into any number of encryption schemes (no Aryeh,
EBCDIC is not encrytion) possible purely with software - as long as the key is
kept on the boot floppy, it is difficult to extract any data even if the entire
disk is stolen (and I have seen a few instances of this).
About now, the subject of ROM passwords usually comes up.
Unfortunately, all that I have seen (Compaq, PS/20, etc) provide some form of
maintenance retrieval that negates the purpose. Some are even trivial
(reversing a plug or popping a connection) for anyone with physical access.
Consequently, if the disk requires physical protection, the best
safeguard is removing and locking up the disk. If not, floppy-booting with
software protection is enough for the job. Anything else is a compromise.

------------------------------

Date: Tue, 12 Jun 90 17:49:40 -0400
From: Arthur Gutowski <[email protected]>
Subject: RE: Documented mainframe attacks (IBM Mainframe)

>From: [email protected] (Peter da Silva)
>
>I don't know about the others, but the XMAS was a trojan horse worm, RTMwas
>a directly attacking worm, and the WANK worm was on VAX/VMS, not UNIX.
>
>All of these, I believe, used network utilities and mail programs to infect
>hosts.

I thought that the Unix worms spread similarly to the VM worms. Yes, XMAS
was really a trojan worm, I wasn't careful on my wording, and I wasn't sure
if they behaved like RTM or Wank. As a matter of fact, the BUL, 4PLAY, and
HEADACHE were more or less XMAS clones.

>From: "David F. Lambert" <[email protected]>
>
>>From: Arthur Gutowski <[email protected]>
>>...
>>Three, make sure your operations and tech support staff monitor things
>>like (on VM) spool space filling up with a certain filename, perhaps even
>>setting up filters in RSCS to reject all such files (when a confirmed report
>>is received). ...
>
>I just saw an IBM announcement a week or two ago which mentioned free
>security enhancements for RSCS. Several of these features looked
>pretty useless, except for one which provides the file filter
>mentioned above. That seems like a useful hunk of code to help nip
>things quickly.

I think we found out about it sometime around the XMAS attack because we
asked IBM directly...evidently there's been enough interest to make it
available. It can be useful, but care must be taken not to abuse it--
that's why I stressed "when a confirmed report of a VM worm is received."

/art

PS> IBM == I've Been Moved

------------------------------

Date: 12 Jun 90 23:22:33 +0000
From: [email protected] (roy schmidt)
Subject: Re: Possible virus (PC)

[email protected] (Woody Baker @ Eagle Signal) writes:
>This sounds like one of the 4.01 bugs. DON'T EVEN LET dos 4.X NEAR a
>machine. It causes all kinds of strange problems. I have a long
>string of friends and aquaintances who have tried it, and have had to
>go back to dos 3.x for reliablity. The technical reasons for this are
>many and varied, but the major culprit seems to be the 32 bit fat
>table. Some of the function calls have been modified. Specificaly,
>some of the older calls did not specify the contents ofthe CX register
>pair. Under DOS 4.01 the CX register pair is checked for a specific
>value, to enable 32 bit fat stuff. Since this was not a requirement
>that CX have anything in it, some programs use it for a counter etc.
>etc. These programs can crash bigtime in certain cases. DON'T USE
>DOS 4.X

Really, now! I've been running DOS4.01 for over a year now, without a
hitch. It would be interesting to see which programs your friends
have had problems with, as I have run all the major business programs
and a number of games without any troubles....but this conversation
belongs in another group. This fella with the strange DOS version
messages, etc, seems to be in the clutches of some sort of doctored
code, which is doing things he did not want done, which I believe is
the name of the game for this group. THIS IS NOT A DOS BUG!!!

- ----------------------------------------------------------- ^
Roy Schmidt | #include <disclaimer.h> | |
Indiana University | /* They are _my_ thoughts, | |
Graduate School of Business | and you can't have them, < >
Bloomington | so there! */ X
___________________________________________________________ X

------------------------------

Date: 12 Jun 90 18:35:35
From: "Philip H. Arny" <[email protected]>
Subject: need virus-l undigestifier for PC or MAC

Hi out there --
I've been printing virus-l and putting it in a binder. This is
starting to seem silly, so I think I'll download the digests,
run them through an "undigester" program, and load them into a
textbase.

So -- Is there an undigester program sitting out there? Where could
I get it? Mac or PC would be fine.

Philip Arny
lrc1@umnhsnve
[email protected]

------------------------------

Date: Wed, 13 Jun 90 14:01:00 -1200
From: Pat Cain <[email protected]>
Subject: New Stoned Virus Strains and Killer Available (PC)

Recently we have discovered a new strain of the Stoned Virus. It is not
detected by programs as SCAN, VBUSTER and KILLER.

We believe that this virus probably hasn't spread too far, and possibly
a student created it and brought it into Victoria University.

We have seen various copies of this new strain with different messages,
such as:
"Your PC is Stoned! - version 2"
"Donald Duck is a lie"
and also a blanked out message.

We have produced a killer "NoStone" for this new strain that detects
and removes both the new and old strains. If anyone wants a copy of
this, then we can send it 'uuencoded' through e-mail and we could also
upload it by ftp to a PC anti-viral site if required.
- ---

::: Details :::

We have disassembled the new strain and compared it against the original
strain (that also seems to have come from Wellington, NZ).

* If a machine is infected with the old strain, then the new strain will
not infect the machine (it has code in it to ensure this).

* If a machine is infected with the new strain and it then gets infected
with the old strain then there are problems:
The new strain is moved by the old strain onto where the new strain had
stored the Master Boot Record (MBR). When this happens, there is no
copy of the MBR and the next time the machine is booted the two strains
continually re-load themselves reducing the memory each time until there
is no memory remaining and the machine crashes.

If you don't have a backup of the MBR then you are in trouble,
'NoStone' automatically saves a copy of the MBR when it is first run
and detects if the hard disk has been doubly infected, and if so
recovers the partition table.

For anyone who is interested in this new strain, the author has made a
a commented dissasembly of the new strain and has noted the differences
between the two strains. He would prefer to provide this only to people
who have a valid reason for requiring it (such as those who wish to change
their virus killers to check for this new strain).

To contact the author Simon McAuliffe, e-mail: [email protected]
- -----------------------------------------------------------------------------

Pat Cain, [email protected]

------------------------------

Date: Wed, 13 Jun 90 07:16:00 -0400
From: [email protected]
Subject: George of the Jungle: Not to worry? (Mac)

Quote:
"Is this a standard WordPerfect Icon? The person found this document
in his system folder. I have a copy on floppy if anyone would care to
look at it.

Your document sounds like a WP Undelete File 1 (ICN#137). Since it's a
temporary File it should come and go. See the manual (p.640 in mine).

- ----------------------------------
Richard Howland-Bolton
Manager Publications Computing
Cornell University
Internet: [email protected]
Compuserve: 71041,2133
Voice: (607) 255-9455
FAX: (607) 255-5684
Etc, etc.
- ----------------------------------

------------------------------

Date: Wed, 13 Jun 90 09:12:24 -0400
From: "Chuck Sechler" <[email protected]>
Subject: Password Standards Checking

Some breakins to a computer at a university in Ohio has prompted us at
Ohio State to look into enforcing use of more obscure passwords on our systems.
I looked around on listserv groups for a security list, but could not find one.
So, I am trying these lists.

Basically, we want to know if there has been any work on MVS and CMS platforms,
to keep users from picking obvious passwords, like their name, password same
as userid, password is a word, etc. On MVS we are working on Top Secret
package, and it has some interesting capabilities for restriction, including
generating random passwords, when a user if forced to change their password,
but it is not ready yet. Some UNIX platforms check passwords against very
large lists of restricted words(like 50000 or more). Any thoughts? Should this
be on a different list?

------------------------------

Date: Wed, 13 Jun 90 16:37:14 +0300
From: Y. Radai <[email protected]>
Subject: UnVirus 9.02 (PC)

Every once in awhile someone posts to this list a cry of anguish
like "Help, I think we've got the XXXXXX virus! What should we do?"
Well, of course every regular reader of VIRUS-L knows that one can use
McAfee's SCAN and CLEAN or Skulason's F-DISINF or F-FCHK, not to men-
tion various commercial programs. But sometimes there's a specific
request for *freeware* (often erroneously called "public domain" soft-
ware). I recently sent an archive of such software, UNVIR902.ZIP, to
Keith Petersen for uploading to SIMTEL20 (directory <MSDOS.TROJAN-PRO>)
and to Jim Wright for uploading to other sites. This archive contains
two programs by Rakavy and Mann, the virus removal program UnVirus 9.02
and the resident program Immune 9.00. UnVirus 9.02 eradicates the:
Stoned (Marijuana)
4096 (Frodo)
Jerusalem (1813)
Ping-Pong (Bouncing Ball)
Brain (Pakistani)
Vienna (648)
DataCrime
and several other viruses.
Obviously, UnVirus 9.02 can't compete with the other programs men-
tioned above in number of viruses removed, but when one takes into
account the *frequency* of infections by each virus, this list ac-
counts for 70% of all infections (according to the report by David
Chess in Issue 90).
A new version of UnVirus is being developed which will detect almost
as many viruses as those programs, and will be much faster than them.
Preliminary tests indicate that it's twice as fast as SCAN and seven
times as fast as F-FCHK. (It's possible that F-FCHK can catch more
mutations of known viruses, but that remains to be tested.) Moreover,
the time required by the new UnVirus is independent of the number of
viruses scanned for, so its speed relative to these other programs
will increase as the number of viruses increases.

Y. Radai
Hebrew Univ. of Jerusalem, Israel
[email protected]
[email protected]

------------------------------

Date: 13 Jun 90 16:29:37 +0000
From: [email protected] (Bob Lombardi 44139)
Subject: Is This a Virus? (PC)

I've been having a wierd problem with my 386 machine that I thought
I'd see if anyone had seen before. Is this a virus?

After the system has been running for a while, a bad DOS command or
search for a file out of the current directory will cause the system
to halt and display "All data on the selected unit will be destroyed.
Proceed (Y or N)?". The message comes from the BIOS prom on the hard/
flopy controller. It thinks it wants to format the hard disk.

The system is a 25 MHz clone, with motherboard by PC-Calc (I think) that
uses a Chips & Technologies chipset. The hard drive is a SCSI 80 Meg
Seagate ST-296N with an ST-02 controller. Everything else in the system
has been changed out. The OS is DOS 4.01. We have been running 4DOS (in
the evaluation period), but removing it has no effect. Booting from a
floppy thought to be "clean" (virus free), with nothing in either
config.sys or autoexec.bat, has no effect on the problem.

We have replaced the controller card, and run with every other card in
the system removed. We swapped a CGA card for the VGA card. Only the
motherboard (my suspicion), the hard drive and the floppy have not been
swapped out. If it is a virus, it is undoubtedly on the hard disk by
now.

If anyone has seen anything like this, please email to me. If interest is
shown, I'll post back to this newsgroup.

Thanks......Bob

Bob Lombardi /-/-/ |Internet: [email protected]
Mail Stop 102-4826 | |phone: (407) 729-6360
Harris Corporation GASD | |Packet:WB4EHS @ (temp. out of service)
P.O.B. 94000, Melbourne FL 32902 |Never mistake motion for progress.

------------------------------

Date: 13 Jun 90 16:40:40 +0000
From: [email protected] (Sam Shim)
Subject: Re: - Virus's and Solutions

[email protected] writes:
>I have 2 questions about viruses please can some body answer??
>q2. Virus lives in memory when you put system off you can't get rod
>off it, It will go to clock ROM chip!! Is there any solution other
>than disconnecting battery??

I can't answer question one but I can answer question two. I know of no virus
that can reside in the clock RAM (not ROM) chip and I really really doubt
that is is possble. The CMOS RAM stored is usually very small (around 64
bytes) and most of that is used for maintaining the date/time, CMOS
configuration, etc... I doubt anyone can make a virus that small, and even
if they could, the CMOS RAM is not executable so it would just sit there
doing nothing. So it wouldn't even replicate so I doubt you can even consider
it a virus. A virus might be smart enough to store some of its code in
CMOS ram (like counting how often that virus has been executed), but most
of its code would still have to be on your drive. And because of that, the
virus can be detected and removed. Sounds like someone's giving you some
bad information about viruses.

-----------------------------------------------------------------------------
| Sam Shim | "I didn't do it... |
| EECS Departmental Computing Organization | It wasn't me... |
| University of Michigan | Nobody saw me do it... |
| Ann Arbor, MI 48109 | Nobody can prove a thing..." |
| internet: [email protected] | - Bart Simpson |
-----------------------------------------------------------------------------

------------------------------

End of VIRUS-L Digest [Volume 3 Issue 113]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253