VIRUS-L Digest Wednesday, 23 May 1990 Volume 3 : Issue 101 Today's Topics: BBS Myths Re: "The Cuckoo's Egg" re: signature programs 1813 virus sighting (PC) Garfield/MDEF Ramblings (Mac) Re: LISTSERV files and security? Re: New MDEF virus (Mac) Disinfectant 1.8 available in UK (Mac) Morris and Hess Re: virii vs. viruses VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Tue, 22 May 90 10:16:58 -0400 From: wack@csmes.ncsl.nist.gov (John Wack) Subject: BBS Myths In response to Okay, S J's comment on distributing s/w via some form of network, Woody Baker writes: >BBs's are one of the primary vectors for viruses. Joe Bugger leaves an >infected file on a bbs. Ike Innocent downloads it, and gives a copy >to someone. Then he runs it, and BINGO...infection city. A much more >logical method, would be to have a trusted set of master disks and use >a high-speed duplicator to duplicate the disks. then use a serializer >to serial number the disks. In a document I wrote I implied the same thing about BBSs, so I feel I ought to speak up here and state my opinion that this is no longer true, if it ever was. I use many BBSs that now make a point of telling users that all software has been scanned with an up-to-date tool. I personally feel that the home user interested in virus protection ought to get a modem and investigate BBSs, albeit with careful attention, as there are many well-run systems that do a real service with regard to spreading virus-prevention information and tools. Unfortunately, a bad attitude towards BBSs persists, thus an effective and low-cost method of distributing useful information doesn't get taken as seriously as it should. - - John Wack, NIST, wack@enh.nist.gov ------------------------------ Date: 22 May 90 14:13:41 +0000 From: fasteddy@amarna.gsfc.nasa.gov (John 'Fast-Eddie' McMahon) Subject: Re: "The Cuckoo's Egg" forags%nature.Berkeley.EDU@ucbvax.Berkeley.EDU writes... :popular article. One of the hackers ultimately committed suicide. Unfortunately, my copy of Cuckoo's Egg is at home so I am trying to recall this off of the top of my head. One of the hackers involved, specifically the one who dealt directly with the Eastern Block was found dead soon after the arrests. I believe there is some question as to whether it was murder or suicide. From the way Cliff describes the incident, it sounded like murder. Cliff is a very informative and entertaining speaker with a very unique style of presenting information. If you have the opportunity to see him (or invite him to your facility) I think you will find it worth the time. - ------------------------------------------------------------------------------ John "Fast Eddie" McMahon FASTEDDY@DFTNIC.GSFC.NASA.GOV Code 930.4 - Advanced Data Flow Technology Office SDCDCL::FASTEDDY (SPAN) NASA Goddard Space Flight Center in Greenbelt, MD (301) 286-2045 - ------------------------------------------------------------------------------ Disclaimer: These are my views. Although I am a NASA contractor, I do not speak for NASA or ST Systems Corporation. Va guvf tybony ivyyntr xabja nf gur argjbex, jr ner nyy cevfbaref... Or frrvat lbh... ------------------------------ Date: Tue, 22 May 90 10:38:00 -0400 From: padgett%tccslr.dnet@UVS1.orl.mmc.com Subject: re: signature programs Response to Ross Greenberg posting in VIRUS-L Vol. 3 Issue 74 Unfortunately, I have not yet perfected Internet access so apologize for being late to respond to Mr. Greenberg's comments from 11 April. It does seem as if he has chosen to interpret my posting and respond to this interpretation rather than what was actually said. I must state first that my task is to protect our systems from ANY attack, not just the amateurs who write (badly) most viruses. One of our contracts involves the FAA Air Traffic Control system and readers would most likely agree that authentication of that traffic and its programs demands somewhat increased authentication. >Sorry: although it would be easy to ascertain via disassembly the >particluar method I use in my code for generating a signature, I would >hope that the bad guys are as easily fooled by someone using the word >"Checksum" or "CRC" as you were. I never stated that this was what Mr. Greenberg used, rather that inside an authenticated platform such measures would be adequate. The word used to refer to Mr. Greenberg's products was "algorithm". I cannot limit concern to easily fooled "bad guys". >I may include such a random seed in the future, but it seems pretty >easy to be able to determine that seed and therefore why bother? Not if the seed is input by the installer during installation, is unique for each machine, and is not used outside of that machine (earlier I stated that a more rigorous method would be used for transmissions between machines). Such a seed would only be "easy to determine" if the penetrator had access to that machine and even then the seed would only work on that one machine. >Better still would be to use two differing algorithms that >combine into one unique signature. That's what I said: Machine unique seed and one-of-nine algorithm selection not determined by the seed. >Fascinating number, that 90%. No justification for it from what I can >see. And your statement on the Boot Sector's first byte being the >important one to check is totally wrong. If you could send me the >background on that number, I'd apreciate it. I believe none of the >numbers I see bandied about regarding viruses. Too easy to slip a >decimal point or two, or to extrapolate from a limited subset. Fair enough. I have only a limited sample to draw from: 20,000 machines in five states and the District of Columbia. Though my collection is somewhat greater, we have only seen MS- DOS attacks by the Pakistani Brain, Yale - Alameda - Merritt, Jerusalem, Disk Killer, Stoned, and some variants. EVERY ONE of these is detectable by the methods mentioned PROVIDED they are performed in the order stated. My personal belief (open to correction) is that these constitute the bulk of the viruses for this platform currently active in America and that the 90% figure is low. The future will be different but my reference was to March, 1990. Certainly I am sick of seeing the Jerusalem in particular. ps. Since writing this, I see that David Chess states that the Bouncing-Ball and 1701/4 are now among the front-runners. The method mentioned will pick up the 1701/4 but I have not tried (or seen except as simulation) the Ping-Pong. Padgett Peterson - 10 minutes from DisneyWorld ------------------------------ Date: Tue, 22 May 90 12:01:49 -0600 From: wittke@UWYO.BITNET (Anne B Wittke) Subject: 1813 virus sighting (PC) We had a small epidemic of the 1813 virus on our lab PCs, which has since been eradicated (we hope). Symptoms were the appearance of black squares on the screen, and deletion of executable files was reported on one pc. Either that one was farther along, or there was a second virus which was not detected by the IBM virus scanning program. There was also an incidence of the stoned virus in another department, but it didn`t do anything that I know of. Where can I get a list of viruses and their symptoms, and is there a v virus-checker for PCs available (for free? ) from the internet? Anne Wittke University of Wyoming Computer Science Dept. P.O. Box 3682 Laramie, WY 82071 wittke@corral.uwyo.edu wittke@uwyo.bitnet - ---- All thoughts expressed are my own --- ------------------------------ Date: Tue, 22 May 90 15:29:36 -0600 From: "McMahon,Brian D" Subject: Garfield/MDEF Ramblings (Mac) Here are a few thoughts and some wild speculation inspired by the reports of the new Garfield/MDEF beastie... HYPOTHESIS: This critter was in some way or another inspired by WDEF. SUPPORTING ARGUMENT: In the pre-WDEF world, Mac viruses mostly followed the standard pattern of zarking around with the "classical" executable code-bearing resources, i.e. INIT and CODE resources, to do their dirty work. Of course, they could also carry along code in additional resources, as nVir, but relied on INITs and/or CODEs for the initial hook. WDEF was a dramatic demonstration of the ability of certain other resources to carry executable code. I know it's quite POSSIBLE for a programmer to independently come up with the idea of using an MDEF for nefarious purposes; it seems to me that it's more PROBABLE that someone said, "hey that WDEF thing's neat, I wonder if I can do the same with an MDEF?" (Note that Garfield's use of an MDEF does *not* bring the same sort of advantage that WDEF's novel propagation method did, namely defeating Vaccine and GateKeeper. I can't think of ANY significant advantage, other than maybe evading some simple detection schemes based on checking CODE resorces only. I think Garfield was perpetrated for pure "hack value," and before WDEF most virus-writing types apparently didn't THINK of using other resources.) CONCLUSION: If the above hypothesis is granted (my new Nomex-lined mailbox should be here any day now :-)), then we know that Garfield's development time plus any latency period plus the time it spread undetected is no greater than 5 months. (First WDEF reports in December '89, Garfield identified May '90.) Interesting, and possibly even useful. :-) With the timely notification and the rapid development of counter-measures, the next few weeks should tell us how widespread this thing already is. (Thanks to the Cornell folks, John Norstad, et al. for great response!) If it turns out that few sites besides Cornell are affected, it might even be possible to contain this thing. (Not likely, IMHO.) It could be interesting to follow the spread, though. (There he goes again...) SUGGESTION: Thinking back to the deluge of WDEF reports a few months ago, I wonder if we could coordinate reporting of Garfield a bit better? For instance, I could offer to collect sightings and summarize to the list every so often. What do you all think? Would this be a useful thing to do, or a waste of time and disk space? OTHER HYPOTHESIS: Remember my ravings back in Virus-L 3/36 about WDEF's spread, college vacation schedules, and such? I suggested that the flurry of WDEF reports in Jan-Feb of this year was connected to the start of a new semester. (I think it was Dave Platt who sent me a brief, insightful note on this. Wish I could find it now, I must have put it in a "Safe Place.") Anyway, guess what just happened all over the country. I presume Cornell is or will soon be on summer break? Students from all over the country gone home, taking infected floppies with them? If Garfield follows the WDEF pattern, we might see a few instances in the next few months, followed by a sharp increase in reports during Aug-Sept as the academic vectors return to classes. Then again, the pattern may be different here. Unlike WDEF, Garfield *is* inhibited by already-existing, widely available countermeasures. As a result, it might not run out of control quite as rapidly. Speaking of running out of control, this posting is getting to be rather long, so I'll shut up now. Comments and criticism are welcome. DISCLAIMER: The usual. :-) Brian McMahon | VAX Kludgemeister, Macintosh Medic, Grinnell College Computer Services | Human Help Key, various and sundry Grinnell, Iowa 50112 | stats packages. Please allow two (515) 269-4901 | to four weeks for miracles. (No, *NOT* Idaho! Not Ohio, either!) ------------------------------ Date: Tue, 22 May 90 18:03:42 -0400 From: Doug Sewell Subject: Re: LISTSERV files and security? The listserv /pdget support implemented at RPIECS and NDSUVM1 is simply an interface to download files from simtel20. If it was clean on simtel20, it's clean via /pdget. I can verify this, as I have seen the code to implement /pdget. Doug Sewell, Tech Support, Computer Center, Youngstown State University, Youngstown, OH 44555 E-mail: DOUG@YSUB.BITNET, DOUG@YSUB.YSU.EDU, ...!uunet!ysub.ysu.edu!doug >> Disclaimer: I claimed something ? ------------------------------ Date: 22 May 90 20:02:16 +0000 From: emx.utexas.edu!ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Subject: Re: New MDEF virus (Mac) jkirsh@contact.uucp (Joel Kirsh) writes: >XMU@CORNELLA.BITNET (Tom Young) writes: >> The Vaccine program will successfully block an infection. When >>an application is launched, Vaccine will display a message asking if >>you wish to grant permission to add an MDEF resource. If you see this >>message, you have the new virus. > >Does anyone know if Gatekeeper will block this virus? Gatekeeper will *completely* block the MDEF virus. The same is *not* true of Vaccine, however. Vaccine blocks only half of the operations attempted by MDEF as it tries to infect the System file. The end result is that when you use Vaccine to block MDEF infections on certain kinds of Macs, you'll wind up with a system in which the default menu definition function can no longer be found, which means that you won't see any more menus.... When Gatekeeper blocks an infection by MDEF, it blocks it completely; no modifications to the System are permitted, so no damage is done. I hope this helps, - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu ------------------------------ Date: Tue, 22 May 90 12:19:11 +0100 From: "David.J.Ferbrache" Subject: Disinfectant 1.8 available in UK (Mac) Garfield Virus A new Macintosh virus has been detected using a viral MDEF resource, with resource name Garfield, ID = 0, size 314 byte. Disinfectant 1.8 has now been released to deal with this virus. This utility will be available from the Heriot-Watt info-server as of 2pm Tuesday 22nd May, by sending a message to " info-server@uk.ac.hw.cs ", of the form: request: mac topic: disinfectant ------------------------------ Date: 22 May 90 18:43:37 +0000 From: mack@se-sd.SanDiego.NCR.COM (Mack McCormick) Subject: Morris and Hess Can anyone post or repost the Morris crime information and the sentence he has received? Also, can anyone do the same for Marcus Hess in Germany? Need info for paper on crimes and punishment. Respond to mack@se-sd.SanDiego.NCR.COM Thanks. ------------------------------ Date: 22 May 90 23:52:21 +0000 From: jsdy@hadron.COM (Joseph S. D. Yao) Subject: Re: virii vs. viruses swimmer@fbihh.informatik.uni-hamburg.de (Morton Swimmer) writes: >Hey, what's up? I thought it was an established convention to speak of >_viruses_ and not _virii_. "Virii" is what's known as a "pseudo-learned" form. "Pseudo" because the people using it are showing off that they know enough of Latin to know that long "-i" is a plural ending for some words ending in "-us", but not enough to know that it's a second-declension plural ending. There are some "-us" words that are fourth-declension, and the plural is "-us" with a long 'u'. Since this isn't an accepted English language form, we use the default pluralisation rules, and add "-es" after the final 's'. Hence, "viruses". (For those who are wondering, there is no particular order to declensions, they are just a convenient partition for ways to form case-and-number endings for nouns and adjectives.) I'm sure I'll have to write this again ... Joe Yao jsdy@hadron.COM ( jsdy%hadron.COM@{uunet.UU.NET,decuac.DEC.COM} ) arc,arinc,att,avatar,blkcat,cos,decuac,\ dtix,ecogong,grebyn,inco,insight,kcwc, \ lepton,lsw,netex,netxcom,phw5,research, >!hadron!jsdy rlgvax,seismo,sms,smsdpg,sundc,telenet, / uunet / (Last I counted ...) ------------------------------ End of VIRUS-L Digest [Volume 3 Issue 101] ******************************************