VIRUS-L Digest   Thursday, 17 Oct 1991    Volume 4 : Issue 193

Today's Topics:

Re: Experiences with hardware protection (Thunderbyte)
Re: Hardware and Software; Re: Forget Turing...
Several subjects (PC)
Virus Proof Machine ?
Re: Manners
Re: Hardware, hardware...
Anti-virus patent - that date sounds familiar
Computer "Anamolies" in books
re: More hardware!
virus(15xx) (PC)
Quesions on Stoned virus (PC)
Need Protection (PC)

VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed.  Contributions should be relevant, concise,
polite, etc.  Please sign submissions with your real name.  Send
contributions to [email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks).  Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list.  Administrative mail (comments, suggestions,
and so forth) should be sent to me at: [email protected].

  Ken van Wyk

----------------------------------------------------------------------

Date:    Wed, 16 Oct 91 09:56:59 +0000
>From:    Fridrik Skulason <[email protected]>
Subject: Re: Experiences with hardware protection (Thunderbyte)

>I got produkt information about a hardware virus protector called
>'Thunderbyte' which intercepts all mysterious writings to the disk, e.g.
>absolute ( not through dos ), writing to exe/com files etc.

Thunderbyte was reviewed in the Sept '91 Virus Bulletin.  It was
tested against 183 infected programs.  It did stop 114 of them, and in
25 additional cases it detected an attempt to write to the disk.  The
rest (44 infected files) could be run without activating the card.

In some of those cases the virus did not attempt to do anything harmful,
so there was nothing for Thunderbyte to detect.

- -frisk

------------------------------

Date:    Wed, 16 Oct 91 09:56:56 +0000
>From:    [email protected] (Lars J|dal)
Subject: Re: Hardware and Software; Re: Forget Turing...

It seems to me that this Turing talk is going along two *different*
threads:

1) Can computers (in principle) distinguish between a virus and a
  "normal" program?
2) Can computers be build to be safe from virus infection?

This is two different subjects! So the proof by someone-I-don't-know
that 1) is undecidable on a Turing machine should only (or rather at
most) discourage people designing programs to detect viruses, not people
trying to design a system which cannot be infected.

Right?

+--------------------------------------------------------------------------+
|      Lars J|dal       |       (put your favourite quotation here)        |
| [email protected] |                                                  |
|--------------------------------------------------------------------------|
| Computer Science Department  -  Aarhus University  -  Aarhus  -  Denmark |
+--------------------------------------------------------------------------+

------------------------------

Date:    Wed, 16 Oct 91 10:14:49 +0000
>From:    Fridrik Skulason <[email protected]>
Subject: Several subjects (PC)

DR-DOS 6.0

  I have been studying the DR-DOS 6.0 password protection a bit, and
  it seems to protect against most file viruses most of the time.  There
  are viruses which are able to bypass it, and if you ever remove the
  write-protection (for example when updating a file) you are vulnerable
  to any "infect-on-copy" type virus.

Virus families

  I am trying to compile a list of PC virus families, in an effort to
  reduce the naming confusion.  There are some problems in defining
  just what a virus family is.  For example, it is not 100% clear if
  the following groups of viruses should be considered to belong to
  the same family or not.

  1) Jerusalem, Fu Manchu, Plastique and Slow
  2) Vacsina and Yankee
  3) W13, Vienna, Ghostballs, V2P2
  4) Cascade and JoJo

  Any thoughts on this subject ?

F-PROT 2.01 delay

  The release of version 2.01 has been delayed by a week, so I can add
  60 (or so) new viruses from Poland.

My E-mail address

  My E-mail address has changed - it is now [email protected], but
  mail sent to [email protected] should still reach me.

- -frisk

------------------------------

Date:    Wed, 16 Oct 91 11:29:15 +0100
>From:    Chris Stops <[email protected]>
Subject: Virus Proof Machine ?

Hello Netters!
            I have read with interest  the discussion over the  last few
weeks  on  hardware  vs.  software  protection,  OS/2  viruses  and other
preventative measures. So I thought it was  about time I threw in  my own
half penny worth of thoughts...

For me, the  ultimate protection (if there is such a thing) is a new type
of PC-like machine, which I will now describe...

The  machine  is based,  for  arguments  sake,  on an  80386  running  in
protected mode, for which  I will assume there are no 'back  doors' (such
as  undocumented  instructions)  by  which  the  protected  mode  can  be
breached.

(Side  note  :  In  fact,   the  80286  had  a  back  door,  the  LOADALL
instruction. This  loaded ALL of the processor's registers, including the
internal ones  associated with  the protection.  However, LOADALL  filled
the registers with values  read from a memory block  at absolute location
800h,  so this back-door  can be  closed simply  by making sure  that the
memory at 800h is in a high priority region).

The  entire operating  system (i.e. BIOS,  IO.SYS and  MSDOS.SYS, but not
the external commands) is  held in ROM  (or EPROM, or something  similar.
Upgradeable ROMs  were recently  discussed). Again,  I will assume  there
are no 'back doors' such as  undocumented operating system calls by which
an application may increase its privilage level.

When the  machine is  switched on,  the processor  starts executing  code
from ROM. It sets up any required operating system data areas in the  RAM
including, for example,  the interrupt vector table (or 'interrupt gates'
to  be more  precise).  Most importantly,  the  operating system  sets up
protected mode before  ANY code is loaded  from a disk and executed.  The
protection is such that the code of  the operating system kernel and  the
interrupt  gates are  at  the  highest priority  and  cannot be  read  or
written by  any application.  Also, all  of  the hardware  I/O ports  are
similarly protected. Thus,  no one can write a  boot type virus  to sneak
in  before protection  of the operating  system is  established; No virus
can hide  in the operating  system code itself; No  virus attached to  an
application can hook into the  operating system and become  resident; And
no virus  can go down to  the hardware.  The only way into  the operating
system is via a well defined interrupt gate.

Of  course, viruses don't have to become resident to do their dirty work.
They can  act 'on the  fly' just  before an infected  program is run.  In
this case,  the  operating system  limits  the  operations which  can  be
carried  out on  executable files. For  example, executable  files may be
created (so compilers still  work) or may be  executed (of course!).  But
they cannot be  opened for read access.  Nor can their executable  status
be altered  to look like a  data file (e.g.  in DOS terms, *.EXE  becomes
*.DAT, the  'DATA'  file  is processed,  then *.DAT  is  renamed back  to
*.EXE). If we still allow  executable files to be deleted, then about the
only sort  of  virus  left is  an  overwriting  virus, which  deletes  an
application and  then creates  a copy  of itself  using the  name of  the
application. But since the applications will no longer run,  it should be
obvious that something is wrong with the machine.

To allow copying of executables (e.g. from floppy to HD) there would need
to be a new operating system call for copying files, becuase,  of course,
no application (e.g. COPY) can read the source file!

Now of  couse, there will be  some users who  want/need read/write access
to their executable  files. In this case, we  could have a three position
switch  inside the  machine,  mapped into  a  protected I/O  location. It
functions as follows...

Position A     All  attempts to  read  an  executable file  are  stopped.
              Maybe a box could flash up  to warn the user. The  machine
              would  be  shipped with  the switch  in this  position, so
              non-technical users are safe.

Position B     All  attempts  to  read an  executable  file  result  in a
              dialogue  box on  the screen. The  user may  allow or stop
              the access,  and this would  be useful for  semi-technical
              users.   The user would be suspicious if 'KINKY.EXE' tried
              to read 'WP.EXE', but  not if an updating program tried to
              change an executable.

Position C     All  attempts to  read  an  executable file  are  allowed.
              Users do this at their own peril!

In fact, earlier I  mentioned an overwriting virus that  could operate if
deletion of executables was  allowed. Maybe this could also be controlled
by a similar switch.

Similar protections could be put on batch files, if required, although  a
batch file virus would be easier to spot.

Now that the  operating system is so  well protected, we have a  problem.
Not only  can no virus modify it, but no extensions  can be added either,
for  example, new device drivers. The virus proof way around this is that
new drivers are supplied  on ROMs which can be plugged into  the machine,
and patched  into the O/S during  initialisation. A  slightly less secure
approach  is that  drivers  are  loaded off  a  disk. They  execute at  a
priority  below  that  of  the  main  kernal,   but  above  that  of  the
applications software. Then, the only way a  virus could spread is for  a
disk  device driver to spot another  disk device driver while accessing a
disk, and  then infect it. But  I think that the  effect of such a  virus
would be negligable.

Any comments  anyone? Is  a totally  ROMed version of  the machine  virus
proof? Is  there a hole somewhere?  I have  a gut feeling that  any holes
would eventually map  down to  a hole in  the processors protected  mode.
After all, surely the  idea of a protected mode is  that you can  build a
protected system?

This protected  system  also has  another advantage: Manufactures can use
their own  hardware and  O/S software (as long as it is compatible at the
application interface) since  no application can contain system dependent
code! So we get more open systems!


Of course, my machine would  probably be incompatible with  Mess-DOS. But
then, isn't  it about  time we  establised a  new microcomputer  standard
based on at least 32 bits of data and address?

Chris.

------------------------------

Date:    16 Oct 91 10:27:45 +0000
>From:    [email protected] (Henk de Groot)
Subject: Re: Manners

[email protected] (Fred Waller) writes:

>The thread is lost to me but someone wrote not long ago:

> > This whole thread is rediculus.
> > -------..... -------.....--------
> > I hope this will stop this stupid converstion.

> The subject of hardware protection is not ridiculous nor is the
> series of articles on it a "stupid conversation". If a given
> subject is of no interest to someone, s/he can always skip it.
> Or marshall argument, if not agreeable.

I was the one who wrote it. It was about the write-protection on floppy. You
deliberately left out the article that was between the lines, explaining why
it was rediculous and the coverstion stupid.

I wrote that the write protect tab on a floppy will not prevent virus spread,
at best slows it down. Every infection via floppy went trought the cycle

write virus to floppy -> read virus from floppy.

The write protect tab has to be removed in the first stage and therefor
doesn't help. The virus can only spread if the floppy is written on an
infected system, but that is true for every spread of a virus via floppy.

The only advantage of a write-protect tab I am able to see is that you prevent
the spread of a floppy to all your other floppy's. As soon as you have to
write to one of your floppies houever the virus will copied with it.

I hope you understand wat I'm saying: The virus will continue to spread, even
if you use a write protect tab. This is so because whatever you do, once you
will have to write to your floppy and remove the tab (unless you have only
static data on your floppy's, in which case I wonder what you are doing with
your floppy's anyway).

Presenting the write-protect tab as the ultimate solution gives a false
sence of security. You only slow down the process of spreading but does not
stop the spread.

> However, qualifying someone else's postings as "ridiculous" or
> the articles as "stupid conversation" is not likely to cause the
> targeted author(s) to stop writing or to change their mind. In
> fact, it's almost guaranteed to have the opposite effect.

True if I only wrote these two lines without explanation. I explained it
and made it clear why. Unless you are able to point out something is
incorrectly in my posting, I think the argument stands and makes the
converstion indeed stupid.

> Mature persons do not reject contradiction; they handle it.
> Inability to face contradiction is a sign of immaturity.

Mature persons will react on the original contents and not lift out the
conclusions only.

> Fred Waller
> [email protected]

Henk.

- --
 /   /            Henk de Groot      | Department: PG 9000i - System Services
/---/ __  __  /   V2/A12-A13         | Internet : [email protected]
/   / (-_ / / /(   Tel: +31 55 432099 |  == PHILIPS INFORMATION SYSTEMS ==
         Disclaimer: I only speak for myself, not for my employer!

------------------------------

Date:    16 Oct 91 11:03:16 +0000
>From:    [email protected] (Henk de Groot)
Subject: Re: Hardware, hardware...

[email protected] (Y. Radai) writes:

>  Henk De Groot writes:
>>                            If you claim that a virus can not go
>>resident on your system than that implies that your system is clean.
>>If your system is clean you can not infect a floppy, protected or not!

>I am not going to get involved in the hardware issue per se; I only
>wish to take exception to the above statement of yours.  Haven't you
>heard of [several direct-action viruses]

You are right, the virus doesn't have to go TSR. The original article
however talked about a virus going TSR. The reaction was that this was
not possible because the system was not infected yet. I replied that
if you have a virus-free system you don't have to use a
write-protected floppy either, you will not infect the floppy if your
system is clean.

>phrases such as "rediculus" and "this stupid converstion" [sic].

Read the thread, understand what is said and you will either have
comments on my contribution (if I overlooked something) or conclude
that useing a write-protect tab leads to nowhere.

Kind Regards,

Henk.

- --
 /   /            Henk de Groot      | Department: PG 9000i - System Services
/---/ __  __  /   V2/A12-A13         | Internet : [email protected]
/   / (-_ / / /(   Tel: +31 55 432099 |  == PHILIPS INFORMATION SYSTEMS ==
         Disclaimer: I only speak for myself, not for my employer!

------------------------------

Date:    Wed, 16 Oct 91 09:37:00 -0500
>From:    Ken De Cruyenaere 204-474-8340 <[email protected]>
Subject: Anti-virus patent - that date sounds familiar

>"David.M.Chess" <[email protected]>
>
>I've just run across an interesting U.S. patent.  It's number
>4,975,950, granted to Stephen A. Lentz, entitled "System and Method of
>Protecting Integrity of Computer Data and Software".  The filing date
>is November 3, 1988.
   ^^^^^^^^^^^^^^^^

That is the day after RTM launched the infamous internet worm.
Coincidence ?
(I have just finished reading CYBERPUNK, so was able to confirm
 the date in part 3 of the (interesting) book: RTM)
- ---------------------------------------------------------------------
Ken De Cruyenaere - Computer Security Coordinator - Computer Services
University of Manitoba - Winnipeg, Manitoba, Canada, R3T 2N2
Bitnet: [email protected]   Voice:(204)474-8340 FAX:(204)275-5420

------------------------------

Date:    Wed, 16 Oct 91 10:58:28 -0400
>From:    padgett%[email protected] (A. Padgett Peterson)
Subject: Computer "Anamolies" in books

While "Shockwave Rider", "When Harlie was 1", and "The Adolesence of P1"
were all works treating self aware computers and worms, the earliest
reference I know of  computers (programs) taking over other computers
goes back to Heinlein's "The Moon is a Harsh Mistress" published in the
early sixties (from memory). "Adam Selene" was the non-de-guerre used
by the program/computer/AI (never really described), but it did spread
through the local communications network.

                                               Padgett

ps Just bought a marvelous program for making my laptop's VGA screen
  MUCH easier to read - "Laptop Ultravision" from Personics
  (508)897-1519 (plug).

------------------------------

Date:    16 Oct 91 13:00:57 -0400
>From:    "David.M.Chess" <[email protected]>
Subject: re: More hardware!

>From:    [email protected] (Fred Waller)

>                                        In fact, if we could just
>stop ONE virus, the old Stoned, we would have prevented the great
>majority of viral infections in the USA! But the Stoned continues
>on its merry way, and software antiviruses have not been able to
>stop its advance.

But hardware antiviruses haven't stopped its advance, either!  That
is, there are both hardware and software solutions that can completely
protect any given machine against the Stoned.  And they've both failed
(in the global sense) for the same reason: not enough people are using
them.

My suspicion (and, again, I'd love to be proven wrong in actual
practice) is that software hasn't done more than it has primarily
because it isn't widely-enough installed, *not* primarily because it's
software rather than hardware...

DC

P.S. The 1813 (Jerusalem) is still up there near the Stoned;
    I think we'd have to stop both of them before we could
    claim to have the great majority!   *8)

------------------------------

Date:    Wed, 16 Oct 91 18:02:19 +0000
>From:    [email protected] (Kelvin Lee)
Subject: virus(15xx) (PC)

My floppy disk was infected by a virus called [15xx]. The disk only
contains a self-extracted exe file. I've already cleaned the disk,
however now whenever I try to run the file, I've got a message saying
out of memory. So, is there any utility that I can use to fix this
problem?  Thank you for your help.

------------------------------

Date:    16 Oct 91 18:45:12 +0000
>From:    [email protected] ( )
Subject: Quesions on Stoned virus (PC)

Could someone please answer a basic question about the Stoned virus...

Given an uninfected system and an infected floppy containing ONLY data
files, no executables, not a bootable disk...what actions by the user
can cause the PC to become infected?  I know that trying to boot from
this infected disk can do it, but what about copying files, looking at
the directory, etc?

[email protected]

------------------------------

Date:    Wed, 16 Oct 91 15:58:18 -0400
>From:    RICH BASILE <R3RB%[email protected]>
Subject: Need Protection (PC)

Would the powers to be please inform me on how to get a hold on the newest
versions of Mcafee and F-PROT.  Here at the Universtiy of Akron, we still
use Mcafee 3.5V63, and we only have F-PROT 1.16.

    RICHARD BASILE
    UNIVERSITY OF AKRON
    MICROCOMPUTER SYSTEMS SUPPORT

------------------------------

End of VIRUS-L Digest [Volume 4 Issue 193]
******************************************

Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.