VIRUS-L Digest Monday, 4 Mar 1991 Volume 4 : Issue 34
Today's Topics:
Mutation of Stoned (PC)
non-scanin anti-virus techniques
AI in Anti-Viral products
Hardware Damage?
Re: Compucilina (PC)
Re: Viruses via radio
Re: Virus protection & universities (PC)
Re: How to disable boot up from A: (PC)
Latest McAfee anti-virals uploaded to SIMTEL20 (PC)
Mac Viruses vs. PC Viruses: Coding Comparison
viral signatures
PC-DACS (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a non-digested Usenet counterpart.
Discussions are not limited to any one hardware/software platform -
diversity is welcomed. Contributions should be relevant, concise,
polite, etc. Please sign submissions with your real name. Send
contributions to
[email protected] (that's equivalent to
VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing
anti-virus, documentation, and back-issue archives is distributed
periodically on the list. Administrative mail (comments, suggestions,
and so forth) should be sent to me at:
[email protected].
Ken van Wyk
---------------------------------------------------------------------------
Date: Thu, 28 Feb 91 11:05:11 -0500
>From: Pat Ralston <
[email protected]>
Subject: Mutation of Stoned (PC)
We have found a mutation of the Stoned or Stoned II virus. McAfee's
VIRUSCAN version 74B reports Stoned, but ONLY on FLOPPY disks.
Version 74B cannot find Stoned on the hard disk. However, when using
Norton Disk Editor we find the following message in the Partition
Table" "Your PC is now Stoned! LEGALISE". Please note that Legalise
is NOT spelled with a Z as in other versions and is in all uppercase
letters.
Any help will be appreciated. We have performed a low level format of
the hard drive but we have retained copies of the virus on floppy
disks. The virus was found by one of our alert student consultants in
our open computers clusters. Due to the nature of our clusters this
virus may have spread quickly through the university. We are in hopes
that we have contained it, however.
PAT RALSTON BITNET: IPBR400@INDYCMS
IUPUI (Indiana University - Purdue University at Indianapolis)
------------------------------
Date: Thu, 28 Feb 91 12:40:56 -1100
>From: "Luis Bernardo Chicaiza S." <
[email protected]>
Subject: non-scanin anti-virus techniques
Fidrik says:
> Detection and Prevention are two different things.
OF COURSE!!!!!!!!!
Avoid that a virus damage any file are virtually imposible, but avoid
that a virus (installed in memory) infects other program are factible.
If we add code to program, this code MIGHT detect the virus, in order
to prevent the infection, but this detection can be made without a
scanning of a portion of known viruses. COMPUCILINA(C) is a
commercial program and the technique that it uses are industrial
secret, I only can say: "COMPUCILINA not scans for a particular
virus", therefore offers protection against current and future
viruses.
I belive that the solution of the virus-problem not is actualize the
old anti-virus, but is create a new methods against viruses.
I expected your questions and comments.
Thanks in advance
Luis Bernardo Chicaiza S.
Luis Bernardo Chicaiza Sandoval
Universidad de los Andes, Bogota, Colombia
e-mail: <
[email protected]>
------------------------------
Date: 28 Feb 91 12:18:31 -0500
>From: Bob Bosen <
[email protected]>
Subject: AI in Anti-Viral products
What exactly is AI anyway? I've heard this buzzword used and abused
for years and I avoid it because I think almost everybody interprets
it differently.
SafeWord VIRUS-Safe "learns" a little bit as it is used. I doubt if
this is what you are referring to as true "AI", but it is pretty smart
and it helps to simplify the lives of your users. Basically, it
maintains a list of programs whose integrity it has already
authenticated, along with the rules the user (or his supervisor) has
established regarding when, how, and how often to re-check the
integrity of each file. Whenever a user attempts to execute a program
whose name is not on this list, SafeWord VIRUS-Safe automatically
opens a dialog window and informs the user that it has not yet
"learned" how to authenticate this program. The user is asked if (s)he
would like to define a set of simple rules for authentication of the
program now and in the future. Any rules the user provides during the
ensuing short dialog are retained and enforced from then on.
Is that AI? Not by my definition. But it's probably more or less along
the lines you want to achieve... Certainly it works. In SafeWord
VIRUS-Safe, we call it "LEARN mode".
- -Bob Bosen-
Enigma Logic Inc (Creators of SafeWord VIRUS-Safe [Now Shareware])
2151 Salvio Street #301
Concord, CA 94520
USA
Tel: (415) 827-5707
FAX: (415) 827-2593
Internet:
[email protected]
------------------------------
Date: 28 Feb 91 12:18:23 -0500
>From: Bob Bosen <
[email protected]>
Subject: Hardware Damage?
>Is it possible for a virus, etc to cripple physical hardware
>components?
Yes. I have first-hand experience with this, unfortunately. My
experience goes back to about 1985, when I had the misfortune to buy
one of the very first Compaq portables. These had an INEXCUSABLY weak
power supply. (Every time I think back on the experience I start to
get mad.) The power supply on even a bare-bones 128K Compaq was so
marginal that it would blow a fuse if the video controller spent more
than a few seconds issuing improper sync to the CRT. This happenned to
me more than once as errant programs (mine and other programmers)
diddled with the registers on the CRT controller card. I got to the
point where I could recognize the pattern. First, the CRT would go
nuts, kind of like your home TV when the "horizontal sync" knob is out
of whack. My sensitive ears would pick up a high-pitched whine that
other workers in my office couldn't hear. if I was REALLY REALLY fast
I could switch off the power fast enough to save my power supply. But
if I took more than about 3 seconds, WHAMMO! Instant tombstone. After
3 separate trips to Compaq-authorized service facilities, at about
$300.00 a pop, (of course, this never happenned during the warrantee
period, only immediately thereafter) I wised up and spied on the
service technicians. They were just replacing a fuse that was SOLDERED
onto the PC board. It was a big pain to disassemble that beast and
find the fuse, but I never paid $300.00 again. After that I changed
the fuse myself. About a year later, Compaq came out with a more
reasonably designed power supply and I never suffered with this again
(another $300.00 down the drain, though.)
I conclude from this sorry chain of events that it definitely IS
possible for malicious software to exploit weaknesses and quirks of
hardware to cause damage, but I am also convinced that hardware that
is properly designed should not suffer from these attacks. I believe
there are probably a lot of computers out there with poorly designed
hardware or with designs that take advantage of the public's desire to
buy the cheapest stuff they can get. Lots of these systems could
probably be damaged by malicious software, but I doubt if there is any
single trick a bad guy can do in software that can be COUNTED on to
damage the general population of PCs. I know of no flaw in the
hardware that is widespread enough to be exploited in a general way.
But a specific kind of PC or board or peripheral could be
"targeted".....
- -Bob Bosen-
Enigma Logic Inc.
2151 Salvio Street #301
Concord, CA 94520
USA
Tel: (415) 827-5707
FAX: (415) 827-2593
Internet:
[email protected]
------------------------------
Date: Thu, 28 Feb 91 16:52:55 +0300
>From:
[email protected] (Eldar A. Musaev)
Subject: Re: Compucilina (PC)
Adding to the note of Fridrik Skulason (v.4 i.31) This 'compucilina'
will not prevent infection either you'll boot from floppy or hard
disk. Most of the resident viruses infect a victim before execution at
int 21/4B as a simple file which can be modified (read: infected), and
only after that the victim (and compucilina) would get a control and
found many problems. I beleive that compucilina could restore the
victim in some cases, but not in ALL cases. E.g. the virus can be so
purely written, that it simply spoils file sometimes instead of
infecting it.
And how does compucilina fight with spawning (in terms of Patricia
Hoffman) viruses ? These viruses does not modify the exe-file, but
make a COM-twin of the file with viral code. If you execute such
infected program, MS-DOS loads COM-file. It does the viral work and
after that loads and execute the host program, which cannot determine
any traces of the virus in itself.
At the end, such a trick is well-known. I know at least 3 analogs of
compucilina in the SU with the first one dated at least at 1989.
Sorry, but I'm tired of commercial advertisments here in the SU, maybe
let us a little rest ?
Eldar A. Musaev, Ph.D., Researcher,
[email protected]
Mathematical Institute of Academy of Sciences, Leningrad, USSR
------------------------------
Date: Thu, 28 Feb 91 16:50:29 +0300
>From:
[email protected] (Eldar A. Musaev)
Subject: Re: Viruses via radio
>US goverment ... for studies on methods of infecting enemy
>military computers with viruses.
I think that is a canard.
If the soviet military computers are supposed then, though I am not
familiar with them, I think that US goverment could try to infect a
heap of a scrap metal as well, either via radio or not. Anyway, some
time is needed to have an object to infect... In Asia (except the Far
East), Africa & L.America the situation is hardly better. So what
computers they want to infect ? Japanese and NATO ?
Besides that the only way to infect computer via radio is to use radio
to send a program. Except that you should send a virus as a legal
transmitter of the programs, i.e. you have the same problems as in the
case of the simple illegal entering to the network. So the "radio"
here is only the magic word to attract the public attention.
Eldar A. Musaev, Ph.D., Researcher,
[email protected]
Mathematical Institute of Academy of Sciences, Leningrad, USSR
------------------------------
Date: Thu, 28 Feb 91 16:51:58 +0300
>From:
[email protected] (Eldar A. Musaev)
Subject: Re: Virus protection & universities (PC)
Leningrad University (at least Mathematical & Mechanical Department)
creates two or three antiviral systems of their own and feel itself
quite comfortable. Moscow University (as reported by Moscow
researches) is permanently under the attacks of VIRUSES of their own,
but they are very low-qualified ("student's viruses") and so don't
spread out widely. Anyway I could not found any traces of them in
Leningrad.
Eldar A. Musaev, Ph.D., Researcher,
[email protected]
Mathematical Institute of Academy of Sciences, Leningrad, USSR
------------------------------
Date: Thu, 28 Feb 91 16:50:59 +0300
>From:
[email protected] (Eldar A. Musaev)
Subject: Re: How to disable boot up from A: (PC)
>University of Houston can disable boot up from drive A:
That is very simple, if you have only one floppy. Open your computer
and set DIP switches and cable connections to make A: as B:. After
that insert in AUTOEXEC.BAT a program which overrides all requests
from A: to B: to avoid problems with an addressing. If you have more
than one floppy, make them E:, F: etc. if you have an additional
floppy interfaces.
Eldar A. Musaev, Ph.D., Researcher,
[email protected]
Mathematical Institute of Academy of Sciences, Leningrad, USSR
------------------------------
Date: Sat, 02 Mar 91 18:17:00 -0700
>From: Keith Petersen <
[email protected]>
Subject: Latest McAfee anti-virals uploaded to SIMTEL20 (PC)
I have uploaded to SIMTEL20:
pd1:<msdos.trojan-pro>
CLEAN75.ZIP Universal virus disinfector, heals/removes
NETSCN75.ZIP Network compatible - scan for 223 viruses, v75
SCANV75.ZIP VirusScan, scans disk files for 222 viruses
VSHLD75.ZIP Resident virus infection prevention program
These files were obtained directly from the McAfee BBS.
Keith
- --
Keith Petersen
Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74]
Internet:
[email protected] or
[email protected]
Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND
------------------------------
Date: Sun, 03 Mar 91 16:12:00 -0600
>From: Bureau de Guerra <
[email protected]>
Subject: Mac Viruses vs. PC Viruses: Coding Comparison
>> Observation 2: Mac viruses are not easier to write than PC viruses for
>> [...various reasons deleted...]
>> that infect each platform. When I last checked (and this was awhile
>> ago), there were some 5 different Mac viruses, with no more than five
>> variations on a particular strain: total of about a dozen Mac viruses.
>> At the time, the number of PC viruses numbered 23 distinct strains and
>> over a 100 total viruses. Alot of has to do with the number of
>> vandals writing viruses for the Mac vs. DOS, but it also has to do the
>> relative ease with which viruses can be written for DOS vs. the Mac.
>There are possibly more practical reasons as to why there are more pc
viruses
>than mac viruses: There are MORE pcs than macs, not just more "vandals
>writing", tho the two quantities are clearly related. I saw a blurb a
while
>back in PC Week saying there were around 45 million pcs in the US
(apparently
>not counting Europe and elsewhere). Unfortunately, there was not a
>corresponding figure for macs.
The macintosh macs up about ten percent of the domestic pc market
(higher in some overseas locations), so say four to five million.
Lets consider: 23 pc viruses/45M pcs
5 mac viruses/4.5M macs
There seems to be (to significant numbers) about the same ratio.
Are mac viruses easier to write? No (but see below) Discussion Follows:
PC's are easier:
PC viruses primarily attack the partition tables and boot sectors of a
disk. Because a significant part of the OS resides in firmware on the
macintosh, "boot sectors" do not have the same functionality on the
mac as on the pc. PC viruses that infect EXE and COM files similarly
rely on the architechure of how a program is loaded and executed; the
mac process is sufficiently different that the "append" method of
virus attack will not work.
Macs are easier:
PC viruses trap interupts, perform their task and then (hopefully)
call the original interrupt. Thus pc viruses can only activiate on
BIOS calls. The mac takes advantage of the 68000's capacity to
emulate instructions: a call to a macintosh toolbox or OS is actually
a machine instruction that the 68000 can't understand; it sends this
to a dispatcher that routes the call to the proper routine. The
dispatcher relies on a jump table. Thus every toolbox and OS routine
on the mac (the newer macs use 512K ROMS if that gives you some idea
of # of routines) can be trapped and redirected: Apple and third party
developers (including virus writers I'm sure) take advantage of this
to exapand and customize the mac.
Macs also isolate their code into "resources." The code to display a
window for example is stored in a WDEF resource, to handle a special
kind of menu in MDEF, etc. One can replace the WDEF in a program with
another, and the application should still run. I used this to write a
WDEF that draws a smiley face on the screen when its closed. By
replacing the default WDEF in the system, every program I run now
displays a smiley face when a window is closed. One common virus
actually masquerades as a window code, replacing the default window
code in the system. Because the whole macintosh OS revolves around
resources, the functions for loading, copying and modifying resources
in files is part of the os and used frequently by most programs.
Finally, since the macintosh ships with a multitasking operating
system that does not have independent segments, a virus running in an
application in one segment can infect an application in a second
segment.
Which Platform is Easier? Criteria:
1) Ease of infecting new disks
2) Ease of infecting applications/operating system
3) Difficulty in detection/prevention
4) Size of virus to be effective
5) Degree of technical proficiency to program
1. PCs can be infected easily through boot sector/partion table; macs
do not have this problem.
2. Because of the resource nature of macs, infecting new applications
can be as easy as moving a resource into the application's resource
fork (one OS call) eg nVIR, WDEF
3. Because of (2), memory resident virus dection schemes on the
macintosh are easily implemented. Also, because of the macs control over
floppy insertion/ejection, disks can be forced to be scanned upon
insertion. This same functionality does not exist on the pc. Also,
because of (2), scanning a mac disk for an infection is also easier.
PC virus detection is straight forward, but virus prevention is much
less sophisticated.
4. A PC virus is typically only a few dozen bytes long. A macintosh virus
can be serveral thousand bytes easily (the WDEF virus, for example,
needed to duplicate the full functionality of the default WDEF
to be transmitted undetected for as long as possible; coding a WDEF
is not a project to be undertaken lightly.)
5. Due to the size, complexity of duplicated features, and requirements for
properly handling memory management, etc, mac viruses are by nature
more complex, and hence more difficult to code. Also, judging from the
fact that 400 versions of 23 PC viruses exist, where only a handful of
strains of the mac viruses exist, modification [and hence evasion of
detection] of pc viruses is easier.
Because of 1,3,4, & 5 vs. 2, I conclude that programing a mac virus
is more difficult than programming a pc virus.
Jonathan E. Oberg
[email protected]
------------------------------
Date: Sun, 03 Mar 91 18:26:36 -0600
>From: BJ Watts <
[email protected]>
Subject: viral signatures
Hello!
I am currently trying to write a virus scanning program for a
project and would appreciate any help in finding virus signatures in
hex. I have a couple of virus sigs and would be willing to help
anyone else with these. Please contact me if you have any at
BB1CS250@UA1VM. Thanks!
BJ Watts
------------------------------
Date: 28 Feb 91 13:51:57 -0500
>From: Bob Bosen <
[email protected]>
Subject: PC-DACS (PC)
>From Volume 4 Issue 28:
>Ed. I saw one product which seems (IMHO) to come close to this-
>PC/DACS by Pyramid (note: I have no affiliation with them...)
>It provides boot protection, optional hard disk encryption
>(required to prevent absolute sector access), username/password
>protection, file access control, etc. Anyone with experience
>with this, or similar, systems care to comment?
Yes. I know from direct, first-hand experience with PC/DACS that the
"boot protection" is so easy to defeat as to provide only the illusion
of protection. While it might prove an impediment to some viruses, the
two different versions I tested during 1988 and again in 1990 yielded
easily to attacks using only readily- available software tools brought
in on a bootable diskette. As I write this I don't have the specific
version or release numbers of PC/DACS that we broke on these
occasions, but we DID verify that the company promotional literature
being published at the time was contrary to our findings.
With regard to impeding viruses by these techniques, there is an
interesting twist that has not, up to now, been brought to light in
what I've read. Note that PC security programs that attempt boot
protection (Including SafeWord PC-Safe II from my company) generally
try to be "transparent" to non-offending application programs. They
relocate the partition table or boot sector logic and they intercept
requests to access these disk areas and re-vector them to the
relocated copies of the original. Thus a utility program (or a virus)
that tries to access the partition table is transparently vectored to
the re-located copy, and unless sophisticated special steps are taken,
it can't tell the difference. A virus could then infect the relocated
area without even being aware of the existence of the security
package. Security based on software techniques of this type is voodoo
security and should not be trusted. (I say this even though I offer a
package with these "features" myself.) Without hardware modification,
only ENCRYPTION can provide any kind of real security. I make and
stand by the same statement with regard to file access control,
username/password protection, etc. Unless based on sophisticated
hardware modification or encryption, it's all based on a foundation of
sand and cannot stand up to the efforts of even routine users armed
with readily-available utilities.
As to encryption, the "user transparency" twist applies here too. Long
experience in the marketplace has clearly shown that if encryption is
not user transparent, user's won't use it. So PC/DACS, SafeWord
PC-Safe, and the other leading PC security products all assert
encryption transparently. That's great from the standpoint of file
confidentiality. Files are automatically encrypted as authorized users
write them, and they are automatically decrypted as authorized users
read them. Unfortunately from the standpoint of viral contamination,
the encryption process is also transparent to a virus acting inside a
program run on behalf of an authorized user. Thus viral spread is
generally unimpeded in such systems, regardless of what the PC
security vendors would have you believe!
I fail to see the relationship between encryption and absolute sector
access to which you allude. Just because sectors or files on a disk
are encrypted, how am I prevented from issuing commands to the disk
controller? And if the encryption is transparent, any software
(malicious or not) should be unaware of the encryption if it is
operating on behalf of an authorized user.
I am not trying to trash the notion of PC security packages. Indeed, I
design, produce, and market such packages. I just want to set the
record straight. A lot of DIS-information has been spread around. None
of these PC security packages are magic. All can help in some areas,
and those few that are strong enough to enforce true security are
based on ENCRYPTION or HARDWARE or BOTH. On top of that encryption or
hardware foundation, it is possible to assert useful file access
rights or viral detection and removal, but beware of the claims of ALL
the vendors. Also, be VERY VERY suspicious about the strengths of any
encryption algorithms used. I could tell some amazing horror stories
here.... But 'nuff said.
- -Bob Bosen-
Enigma Logic Inc.
2151 Salvio Street #301
Concord, CA 94520
Tel: (415) 827-5707
FAX: (415) 827-2593
Internet:
[email protected]
------------------------------
End of VIRUS-L Digest [Volume 4 Issue 34]
*****************************************
Downloaded From P-80 International Information Systems 304-744-2253
