VIRUS-L Digest Tuesday, 8 Oct 1991 Volume 4 : Issue 185
Today's Topics:
Morris worms through courts
RE: DEC PathWorks and Virus propagation (PC)
Re: Novell Virus? (No, screen blanker) (PC)
Stoned on preformatted Verbatim Disks? (PC)
Re: new programs by Padgett; report (PC)
HW not a virus solution
Hardware protections (PC)
Checking for virus at boot
Help urgently needed for stoned virus (PC)
"Terminal Compromise" Inter.Pact Press (615)883-6741
Hardware
Re: NOVELL virus?
dir2clr, virx1.8 available on urvax.urich.edu (PC)
New file on risc (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
----------------------------------------------------------------------
Date: 07 Oct 91 13:23:00 -0400
>From: "zmudzinski, thomas" <
[email protected]>
Subject: Morris worms through courts
Copied from COMMUNICATIONS WEEK, September 23, 1991:
"Morris Worms Through Courts
There's a chance that the U.S. Supreme Court could hear
the renowned Internet network "worm" case during its ses-
sion that begins next month. An attorney for Robert T.
Morris, the former graduate student convicted of unleash-
ing on the Internet a rogue computer program called a
worm, in June asked the Supreme Court to review a U.S.
Appeals Court decision upholding charges that Morris
broke a federal computer security law when he sent out his
worm program. Morris maintains that he didn't mean to
cause harm with his program--only to show the security
holes in the Unix operating system."
Tom Zmudzinski ZmudzinskiT @ IMO-UVAX.DCA.MIL
Defense Information Systems Agency (703) 285-5459
From Zmudzinski's DevilNet };{> Dictionary:
"ABUSER FRIENDLY (stu'pid) adj. [Masochistic] The common
state of security on most computers and networks at any time."
------------------------------
Date: Mon, 07 Oct 91 11:40:20 -0600
>From:
[email protected] (Kevin Hemsley)
Subject: RE: DEC PathWorks and Virus propagation (PC)
[email protected] (Pete Lucas) writes:
> In particular, my interest is in whether a virus such as 1701 or 1704
> can 'take up residence' on a virtual-disk on the VAX/VMS system. If it
> does take up residence, how would i go about removing it? One of the
> networked PCs has been caught with 1701 and i need to know if the rest
> of the PCs are going to get it too. Somehow, i suspect that the
> subtle differences in filestore structure between DOS and VMS will
> prevent such a problem; can someone confirm or deny my assumption?
I have not had direct experience with PathWorks, but I can offer this
opinion.
The 1701, 1704 (Cascade) virus and related variants are resident file
infecting viruses. Because systems like PathWorks emulate a DOS
environment, the actual format of a disk is invisible to applications
and viruses. (atleast for the most part) Therefore, file infecting
viruses, such as Cascade, can infect files stored on your DOS partition.
If you can access this partition like you would any other physical or
logical drive, it is possible that this and other viruses can infect
files stored on a virtual disk. Even if a virus is unable to
propagate across your network, you can still store an infected file
on a virtual disk. Therefore, it is my opinion that your virtual
disk (or rather files stored on that disk) is not immune to virus
attack, either directly or indirectly.
The clean-up and protection of this type of networked environment
requires a slightly different approach than standalone computers.
Padgett Peterson has made a few brief postings on what is required
for such an effort. I have been working on a system that I call
a network virus monitor which uses concepts similar to Padget's.
I hate to think about cleaning up a large, widely-infected network.
It is for this reason that I am placing a high priority on network
protection.
-
-------------------------------------------------------------------------------
Kevin Hemsley |
Information & Technical Security | If you think that you have someone
Idaho National Engineering Laboratory | eating out of your hand, it's a
(208) 526-9322 | good idea to count your fingers!
[email protected] |
-
-------------------------------------------------------------------------------
------------------------------
Date: 07 Oct 91 14:24:58 -0500
>From: "James H. Ford III" <
[email protected]>
Subject: Re: Novell Virus? (No, screen blanker) (PC)
When you load MONITOR (in Novell 386 v3.xx, not Novell 286 v2.1x), you get
the monitor screen with several options. However, after 5 minutes or so,
MONITOR will place the "worm" on the screen as a screen-blanking device.
On a monochrome monitor, different worm segments will appear as different
shades of gray. On a color screen, you will see different worm segments
as different colors. As soon as you hit a key (ESC or anything else), the
blanking stops and you return to the MONITOR screen. (FYI, the SMTP
program Charon uses the same screen blanking "worm" figure).
One interesting note: The length and speed of the "screen worm" is based
on the server utilization. The higher the server utilization, the faster
and longer the worm gets.
Not a trojan, not a virus, just a screen blanker. Nothing to worry about.
James Ford - Consultant II, Seebeck Computer Center
[email protected],
[email protected]
The University of Alabama (in Tuscaloosa, Alabama)
------------------------------
Date: Mon, 07 Oct 91 19:55:00 +0000
>From:
[email protected] (Jeffry L. Johnson)
Subject: Stoned on preformatted Verbatim Disks? (PC)
This is at least thirdhand information, but I am curious
whether anyone else has heard this rumor:
Some preformatted Verbatim floppy disks are infected
with the STONED virus.
I do not know what density or size of disk.
- --
Jeffry L. Johnson CWRU Film Society Alumnus
Tech, HLA Lab, Institute of Pathology, CWRU/UH
Freenet ID: ac717 (Internet ID:
[email protected])
CompuServe: 71117,527
------------------------------
Date: 07 Oct 91 18:35:41 +0000
>From:
[email protected] (Jesse Chisholm AAC-RjesseD)
Subject: Re: new programs by Padgett; report (PC)
[email protected] writes:
: Hi.
: Now available:
: NOFBOOT.ZIP
: SAFEMBR.ZIP
:
: the new programs created by A. Padgett Paterson (and sent directly by him).
: Both programs are "freeware".
:
[ description deleted ]
:
: Bug report: the program included XXencoded in virus-l 4.180 arrived
: garbled; I was unable to decode it (got an "illegal character in line 3"
: error message).
: Any luck anyone?
:
: Regards, Claude
I got my copy of NOFBOOT and SAFEMBR direct from Padgett Paterson.
They came across with no problems. I have begun testing them and so
far I like them. The only problem I have seen so far is that it is
not a good idea to run SAFEMBR twice on the same system. It does not
check to see if it is already installed. I am sending Padgett a full
report soon.
Jesse Chisholm | Disclaimer: My opinions are rarely understood, let
[email protected] | tel: 1-408-432-6200 | alone held, by this company.
[email protected] | fax: 1-408-435-8517 |-----------------------------
======== This company has officially disavowed all knowledge of my opinions.
- --
============== For a good prime, call 214-748-3647 ===============
------------------------------
Date: Mon, 07 Oct 91 14:54:27 -0700
>From: Jay Skeer <
[email protected]>
Subject: HW not a virus solution
>From:
[email protected] (Fred Waller)
> Only hardware/firmware defenses can definitively stop such software
> attacks. Hardware defenses can be much *less expensive* in the long
> run, and even in the short run, do not encourage the production of
> ever-improved viruses and do not need to be frequently upgraded.
>
> Hardware defenses stop viruses. Software defenses do not.
This is an appealing position, but as I pointed out to Fred (Cohen)
and Len (Adelman) in class some years ago, it is not workable, or even
useful. Since Fred (Waller) gives no details about the proposed
hardware, I will propose my own hardware virus solution, and
demonstrate its problems. If this is not what was discussed, if I
somehow missed the proposal, please forgive me, and point out how your
proposals avoid my criticisms. Be sure to read all the way to the
end, and be sure you understand my criticisms though.
Jay's Virus Proof Machine
Jay's Virus Proof Machine has two disk drives a "program" disk and a
"data" disk. It also had a big red switch labeled "install/run".
When the switch is in the "run" mode, the computer behaves normally,
with two exceptions, the "program" diskdrive is not writable, and
programs can only be run from the "program" disk. Since the switch
directly switches the write current wire of the "program" disk, no
software is able to circumvent it and write to the "program" disk.
That programs can only be run from the "program" disk is again
incontravertable hardware fact (think about a "harvard" architecture
machine). So, in "run" we seem to be safe from viruses -- no running
program can infect any other runable program.
When the switch is turned to the "install" position, the computer
reboots and runs a very tiny (< 5k), very dumb program called
Installation Software (IS). The IS is only capable of moving files
from the "data" disk to the "program" disk, of renaming files on the
"program" disk and of deleting them. It can not run any programs. Of
course, the IS is stored on the "program" disk, or better yet in ROM.
So it seems that in "install" mode we are also safe from viruses.
(Since I am dreaming I will add that the tiny IS has been
mathematically proven correct by ten different University and
Commercial groups, and has been available for ten years for crackers
to crunch on with an offer of $1000000 to anyone to defeat it. No one
has yet.)
In summary, only in "run" mode can programs (other than the dumb IS)
be run, they must all come from the "program" disk, and in "run" mode
the "program" disk cannot be written to. And in "install" mode only
one program, proven very safe, can be run. Great! No virus is
possible!
Jay Wakes Up
Sounds good huh? It wont work. It WILL make the life of computer
users miserable, but it WONT prevent the spread of viruses.
This scheme fails because it does not take into account the
observation (invention?) that some bright guy (Von Neuman?) made in
the 50's -- You can't tell program from data. You just can't.
Where should I store my spread sheets? Either they are on the
"data" disk (and thus ripe for (with?) viruses) or they are on the
"program" disk. If they are on the "program" disk then they are hard
to modify, and what use is a spread sheet if you can't modify it?
This scheme will only stop viruses if users are willing to live
without interpreters. How many interpreters do you use in a day?
Command interpreters, spread sheets, text editors, and even terminal
emulators all very often have (or are) interpreters. Are you ready to
give up the ability to easly develop programs for those interpreters?
I am not.
(You might think that people would not write viruses for those weak
interpreters. But you'd be wrong. I've heard of viruses infecting
hypercard stacks, spread sheets, and even command interpreter scripts
(In fact Fred Cohen wrote a few himself!).)
Sadly, the proposed scheme doesn't even prevent viruses from
spreading. Take me as an example, I work on a very advanced CASE tool
which my company sells. Suppose we became infected with some very
tricky virus. Our "safe" programs could be sent out, and our
infection could spread to other developers and users. After all, at
some point our program must exist on some "data" disk, and at that
point the virus could infect the "data" before it is moved to a
"program" disk. In fact, that is how we were infected, yeah thats it,
its all PicoSoft's fault! Their compiler has bugs AND viruses! (You
should be sure to ignore their claim that it was a previous version of
our CASE tool which infected them. :->)
Fred (Cohen) proved it very well, go read his thesis. The cost of
eliminating viruses is very high, I doubt anyone will want to pay it.
You are simply required to stop using stored program computers, or to
stop bringing any (possibly infected) stored programs to your system.
If you wish to use stored program computers (I do) you will have to
accept the truth that ...
there is no unstopable virus, and no virus proof shield.
j'
P.S. After an especially paranoid Philip K. Dick book, I dreamt of a
CPU infected with a virus designed into it by the CAD software running
on another infected CPU. The chip virus insures that a engines made
to run in a certain brand of car, after a few tens of thousands of
miles, stop working. But I woke up... didn't I?
P.P.S. I got the idea of a computer virus from an old S.F. book. In
the book they actually describe a worm (and called it that) in the
phone system, but it was easy to see from the description how to write
a virus, and why you might want to. I discused the idea with a
friend. He and I became very excited, and went to our bosses and
described it, as well as our intention to write one. Our bosses said
that if we wrote one, we would be fired. Later we mentioned the idea
to Fred and Len in class, and it took off. This was in 1983 or 4.
Does any one know the name of that book, or of an earlyer reference to
computer viruses?
------------------------------
Date: Tue, 08 Oct 91 00:06:48 +0000
>From:
[email protected] (Zoltan Kelemen)
Subject: Hardware protections (PC)
Many PCs already have enough hardware to allow construction of a
perfect protection against viruses. The only thing needed is a
processor with memory protection. Unfortunately, the popular operating
systems do not support memory protection. Maybe things will change if
OS/2 becomes popular.
Zoltan
------------------------------
Date: Tue, 08 Oct 91 01:22:16 +0000
>From:
[email protected] (Colin McFadyen)
Subject: Checking for virus at boot
Hi all. I apologise if this is a FAQ but I am not a regular
reader of this group.
Can someone recommend a virus checker to be run at boot time
and let me know where to find it on the net.
Many thanks,
Colin McFadyen.
------------------------------
Date: Mon, 07 Oct 91 22:44:26 -0400
>From: <YAGHC%
[email protected]>
Subject: Help urgently needed for stoned virus (PC)
MY PC was stoned yesterday. After I run some game program from my
friend my pc can not be booted from drive C which has DOS 5.0. It just
stay on drive A with light on and go no further. If I put a disk which
has a DOS system file on it in the drive A, it still doesn't work but
will show a message " your PC is now stoned". But if I use DOS 4.0 to
boot the PC on drive A, it works ,from there I can get into C drive.
Then I run Anti-virus program, but it didn't show any virus
information. What I should do ? please help. Thank you very much.
------------------------------
Date: Thu, 03 Oct 91 08:12:44 -0400
>From: padgett%
[email protected] (A. Padgett Peterson)
Subject: "Terminal Compromise" Inter.Pact Press (615)883-6741
Have just finished the novel by Winn Schwartau and it is
amazing how many influential people I am hearing echo its
concepts. This is an important book for the computer security
industry and puts into both readable English and perspective many
of the concerns that exist. This is the "Cuckoo's Egg" of 1991
without the recipe for chocolate chip cookies. The scary part is
that I have seen many of the penetration techniques used. Each is
very real and very possible.
However, when reading the book, it must be remembered that
this is a "worst case" scenario and rests on the popular premise
that "Viruses are just programs, computers executed programs,
therefore computers cannot differentiate between viruses and
legitimate programs". While it sounds good, like the Lorenz-
Fitzgerald equation often used to "prove" that you cannot exceed
the speed of light, it breaks down upon examination (e.g. you
only achieve the effect of infinite mass if exactly lightspeed is
maintained for an infinite time - an integral taken to the
limit).
As a matter of fact, some interesting energy relationships
derive if an object is held at lightspeed for a finite time.
Meanwhile, back at the ranch: while it is true that viruses
are only collections of instructions, they are instructions that
do things that normally should not be done and * this * is *
detectable *.
As an extreme case, the DATACRIME (actually a very poor
virus but mentioned several times in the book) when triggered
attempts to format the disk using a special function of Interrupt
13. Since this function is ONLY used for this purpose, turning is
off/flagging attempts is simple with software (DiskSecure does
this at the BIOS level).
Of course, the point could be made that other software can
defeat software. This is true, but it is difficult for software
to defeat software unless it knows exactly what and where it is.
Since I have other programs that just periodically validates
DiskSecure, a virus would have to target these as well and there
are several variants (see my discussion of simple but multiple
encryption techniques in last Spring's V-L).
Now if everyone used DiskSecure, virus writers could just
target it, however if MicroSoft, Norton, Mace, Central Point,
Digital Research, and all the others came out with similar but
different software, and AMI, Phoenix, Award, and Tandon each had
a different BIOS implementation a generic virus becomes so
difficult to write and would have to be so big to handle all of
the cases the it would become uneconomical: this is the reason I
give the concepts away.
Thus while "Terminal Compromise" is an important book and
should be widely read, it is equally important to remember that *
there * are * practical * solutions *, we just have not been
willing to demand them. For example, much is made of reading CRT
display emissions from a distance. If you are truely concerned,
there is a simple answer: LCD displays. In addition, I have seen
TEMPEST CRT filters advertised as well. Everyone has one, Right ?
The basic premise is true though: much of the nation's (and
the world's) information processing capability is a risk, not
because it cannot be protected, but because we have not bothered
to do so. The important thing is that we do not need the NSA to
help/approve, it is just a matter of doing.
Padgett
------------------------------
Date: Mon, 07 Oct 91 22:54:10 -0700
>From:
[email protected] (Fred Waller)
Subject: Hardware
Jay Skeer <markv.com!jay> writes about my comments on hardware
protection:
> This is an appealing position, but as I pointed out to Fred
> (Cohen) and Len (Adelman) in class some years ago, it is not
> workable, or even useful. Since Fred (Waller) gives no details
> about the proposed hardware, I will propose my own hardware
> virus solution, and demonstrate its problems.
--
[NOTE: Fred (Waller)'s articles did not "give details about the
proposed hardware" because there was no specific hardware being
proposed. The statements were general, not specific. We'll get
a little more specific this time]. Jay Skeer continues:
> Jay's Virus Proof Machine
> -------------------------
> Jay's Virus Proof Machine has two disk drives a "program" disk and
> a "data" disk. It also had a big red switch labeled "install/run".
>
Jay Skeer's message brought to mind a rather similar machine
that Fred (Waller) once devised:
Fred's Virus-Resistant Machine
------------------------------
Fred's Virus-Resistant Machine also had two disk drives, a "program"
disk and a "data" disk. It, too, had a _small_ switch (not red),
labeled: "Install/Run".
(Notice that unlike Jay's Machine, Fred's machine was not Virus-
Proof but only Virus-Resistant. Is Fred more modest in his goals
than Jay...? He also added some few extra touches that Jay
didn't think of, and his switch was rather smallish, and not red).
---
The rest of Jay's description approaches Fred's own design fairly.
In fact, the similarity is so close that Fred thinks that Jay
managed to slip into a time warp and snatch Fred's ideas before they
had even been conceived! (Snatching ideas before they are even
conceived is a disconcerting habit which should be discouraged).
There was, however, a very important difference between Jay's Virus-
Proof Machine and Fred's Virus-Resistant one. This difference was
that while Jay simply *imagined* such a design, and then went about
demolishing his own idea (in theory), Fred went and actually *built*
a machine, and didn't demolish it (even in practice). Then, while
Jay was lucubrating on Fred (Cohen)'s theory, Fred (Waller) got hold
of his pet viruses and tried to infect his virus-resistant machine.
Quoting Jay Skeer further:
> Jay Wakes Up
> ------------
> Sounds good huh? It wont work. It WILL make the life of
> computer users miserable, but it WONT prevent the spread of
> viruses.
>
> This scheme fails because it does not take into account the
> observation (invention?) that some bright guy (Von Neuman?)
> made in the 50's -- You can't tell program from data. You
> just can't.
>
Well, I don't know about Jay Skeer, but Fred (Waller), not being a
a bright Hungarian like v.Neumann., didn't know that. He only knew
that v.Neumann had proposed to store instructions and data together,
intermixed in the storage medium, and that this created an ambiguity
of interpretation, and allowed instructions to be self-modifying,
(the so-called "bad programming" of some), and that the ambiguity
could be resolved (though temporarily) when the stored element was
fetched from storage and either executed or operated on.
Unlike Jay, Fred (Waller) also had this silly idea that it isn't
necessary to make viruses impossible in order to provide adequate
defenses against them. He didn't care if they existed, as long as
it was somewhere else.
But, regardless of abstruse theory, Fred (W) read in his MS DOS
manual that program files went under DOS extensions like .COM, .EXE,
.OVR... Knowing this, he had no trouble telling them apart from
.TXT, .DAT, .DOC and .WK1 files. So, unaware that his machine
couldn't work, he went ahead and started testing it. (He did,
however, believe that the design details of hardware protection
couldn't be derived from solely symbolic considerations).
As Jay Wakes Up, Fred (W) Continues Sleeping
--------------------------------------------
While sleeping thus, he tried Boot infectors and he tried executable
infectors. He tried stealth viruses and candid ones, viruses that
self-encrypt and mutate and he tried others that do none of those
things. He even intentionally allowed viruses on the `program'
disk, but kept the little switch in its safe position. He had TSR
viruses, and transient viruses, big ones, little ones, American,
Israeli and Bulgarian, "wild" and "research" viruses, smart and
dumb ones... he tried them all.
In this way, while Jay decided that his machine couldn't possibly
work, Fred discovered that his machine (which wasn't virus-proof,
but only virus-resistant) *did* work, and extremely well. None of
his favorite viruses (hundreds of them, my goodness!) succeeded in
infecting it. Since he always booted from a clean disk (the safe
"program" disk or a trusted diskette), he had no Boot infectors
in RAM. Some of his viruses did freeze the machine but he was
able to reboot without infection and kept smiling.
Fred (Waller) used his word processor, and an electronic spreadsheet,
which he stole from his wife. He installed a DOS shell and used a
database manager. He tried his telecomm program, which has terminal-
emulation facilities, and he emulated terminals. Fred created
spreadsheets, letters to his friends (and to one enemy), and
developed a database to organize some long-forgotten and mysterious
writings of his. All this time, his test viruses were furiously
banging their symbolic little heads and pushing their symbolic little
bodies against the invincible hardware of his little (not red) write-
protect switch.
Fred compressed files and used TSRs and run DOS 5.0 and used
spelling checkers; he copied data files and he erased them. In short,
Fred (Waller) did all those "interpreter" things that Jay wrote
about, and they had no problem interpreting whatever it is they
needed to interpret. The viruses, however, seemed to have all kinds
of problems getting "interpreted"... :-) Also, DOS 5.0's SETVER
command was, ahh... confused at times <sigh>. A minor price to pay
for all the protection. So Fred decided to call SETVER a `bad
program' and let Frisk's heuristic analyzer bury it.
Thus, while Jay's Virus-proof Machine appeared to him not to be
very virus-resistant, Fred's Virus-resistant Machine turned out
to be rather virus-proof! Fred (Waller) attributes this amazing
effect to a little-known characteristic of time warps, called the
Retro-revengful anti-theoretical somersault.
Now, Fred (Waller) is searching Fred (Cohen)'s thesis, von Neumann's
works and and other writings trying to discover what he did wrong.
Obviously, his machine should have failed... but didn't. Fred
(Waller) is very ashamed of this. He'll try to rectify this
unseemly situation, and will try to come up with a theoretically-
correct, totally ineffective machine just as soon as he can.
Oh, Fred (W) would be very interested in seeing a sample of any
virus that could infect his machine. Perhaps Jay Skeer could
provide him one? A high-voltage virus, maybe?
:-)
Fred (W.)
[email protected]
------------------------------------------------------------------
Now, a *hardware virus*, that would be a little more difficult...
------------------------------------------------------------------
------------------------------
Date: Tue, 08 Oct 91 08:48:34 +0700
>From: James Nash <
[email protected]>
Subject: Re: NOVELL virus?
This worm in MONITOR is a screen saver and not to be worried about!
BTW, I've heard a few reports of MONITOR crashing a server when it's
left loaded on a for a number of hours. Best to unload it each time
you've finished at the console
- --
James Nash, Computing Services, Coventry Polytechnic, England
[email protected]
------------------------------
Date: Mon, 07 Oct 91 11:07:00 -0400
>From:
[email protected]
Subject: dir2clr, virx1.8 available on urvax.urich.edu (PC)
1) DIR2CLR: the file xxdecoded fine, now in [.msdos.antivirus]
2) VIRX 1.8: I fetched the file yesterday from SIMTEL20, and have it now
available form the same directory.
Please note that when you do a FTP from our site you'll be in the [anonymous]
directory, and will have to change to [msdos.antivirus].
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Claude Bersano-Hayes HAYES @ URVAX (Vanilla BITNET)
University of Richmond
[email protected] (Bitnet or Internet)
Richmond, VA 23173
------------------------------
Date: Mon, 07 Oct 91 09:33:58 -0500
>From: James Ford <
[email protected]>
Subject: New file on risc (PC)
The file "dir2clr.zip" has been placed on risc.ua.edu (130.160.4.7) for
anonymous FTP in the directory pub/ibm-antivirus.
The zip file consists of 2 files: DIR2CLR.COM and DIR2CLR.C
- ----------
No executive ever devotes any effort to proving himself wrong.
- ----------
James Ford - Consultant II, Seebeck Computer Center
The University of Alabama (in Tuscaloosa, Alabama)
[email protected],
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 185]
******************************************
Downloaded From P-80 International Information Systems 304-744-2253
