VIRUS-L Digest Wednesday, 20 Dec 1989 Volume 2 : Issue 265 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk Today's Topics: Internet Worm Program Legal Implications of the PC Cyborg Mailing AIDS disk analogies (PC) Re: WDef and Gatekeeper Aid. Signature Programs Gatekeeper and Gatekeeper Aid (Mac) DES Availability SWE HAS MOVED TO A NEW ADDRESS Re: AIDS Trojan (PC) Re: AIDS Trojan Update (PC) Was AIDS disk legal? AIDS Information Disk (PC) Standard disclaimers and AIDS Trojan horse --------------------------------------------------------------------------- Date: Thu, 14 Dec 89 14:53:53 +0000 From: mitel!sce!cognos!alzabo!tris@uunet.UU.NET (Tris Orendorff) Subject: Internet Worm Program Internet Worm Update ... According to 2600 Magazine, If you want a copy of the source code (with comments), send $10 to 2600 Worm, PO Box 752, Middle Island, NY 11953 Sincerely Yours Tris Orendorff tris@alzabo.uucp ------------------------------ Date: Tue, 19 Dec 89 11:00:00 -0500 From: Jim Shanesy Subject: Legal Implications of the PC Cyborg Mailing Since it contained the greatest amount of information regarding licensing, payment, what it purported to be, etc. than the other postings, I have sent Mr. McAfee's first alert re this Trojan Horse to a dear friend, Paul R. Paletti, Jr., Esq. of Handmaker, Citrynell & Assoc. in Louisville, Ky. Mr. Paletti is a licensed, practicing attorney-at-law who is also a computer enthusiast. He uses his PC in his work, downloading cases from LEXIS via modem. When he has time to read my fax, we'll confer by phone and I'll send his opinions to this discussion list. Since copyright and patent laws are federal ones, he should be as qualified as anyone to assess the legal ramifications of this catastrophe. Jim Shanesy Office of Computer and Information Technology National Research Council 2101 Constitution Ave., NW Washington, DC 20418 (202)-334-3219 ------------------------------ Date: 19 Dec 89 11:07:00 -0800 From: MGB@SLACVM.BITNET Subject: AIDS disk analogies (PC) In reading the analogies pertaining to the AIDS Virus, I could not help but be struck by some parallels between the computer virus and the actual virus. First, like AIDS, some people are struck down very quickly while for others there is a long incubation process. Second, once you find out that you have it, you must be prepared to spend large sums of money to combat it on a recurring basis. Third, lots of warnings are given about the virus, what will happen if you utilize the disk (engage in risk behavior) but many people ignore these warnings and are thus infected. Fourth, the Virus comes from Africa, the probable birthplace of the actual AIDS virus. Fifth, there is no guarantee that paying your money will produce a cure, or that one cure actually exists (tailoring vaccine to specific machines/people). Sixth, the hysteria surrounding the VIRUS is both making people more aware of viruses in general and prompting much research into finding a way to decrypt the initiating factor. Seventh, there seems to be more we don't know about the Virus than we do know. The initial effects have been diagnosed and a remedy for the symptoms found but long term effects are still unknown. Perhaps I am seeing too much in this, but given the enormous outlay of both time, energy and money that someone went through; perhaps the perpetrators of this virus are attempting to give us all a non-lethal lesson as to what the real virus AIDS is all about. I am not justifying their actions but I just can't help but wonder if that lesson is what all this is all about. It would, to me, clarify the use of AIDS Information as the method of transmission. Comments, anyone ------------------------------ Date: 19 Dec 89 19:30:03 +0000 From: coherent!dplatt@ames.arc.nasa.gov (Dave Platt) Subject: Re: WDef and Gatekeeper Aid. C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes: > I booted some Macs with Gatekeeper Aid installed this AM. I was > immediately presented with a rather sharp looking dialog announcing > that the "Implied Loader ABDS" virus(?) was found and removed. > > Is this the Wdef virus? If so, why not call it such AND what is an > "Implied Loader ABDS". The "ADBS" resource in the Desktop file is almost certainly not a virus. Rather, it's the signature for the Adobe Separator application. Unfortunately, "ADBS" is one of the resource-types that Apple has reserved for its own use... per Inside Mac V, resources of this type hold code which acts as an interface to the Apple Desktop Bus and its devices (keyboard, mouse, etc.). Because this resource-type can contain executable code, Gatekeeper Aid considers that it shouldn't be in the Desktop file. I don't know how a commercial application ended up with a signature- resource that's identical to one on Apple's list of reserved types. there are several ways in which this could have happened... all of which would appear to involve a bit of an oversight on someone's part. Removing this particular resource from the Desktop file might have some adverse effects on the Adobe Separator application. In particular, I might expect to see its documents revert to the generic icon, and you might not be able to double-click on a Separator document and launch the application. I believe that Chris will be updating the documentation for Gatekeeper Aid to warn of this problem. - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303 ------------------------------ Date: 19 Dec 89 13:01:54 -0500 From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Signature Programs In his mailing of Dec 07 '89, Y. Radai seems to be taking the position that since I am in favor of sophisticated authentication algorithms, I must be against sophisticated program implementations. Nothing could be further from the truth. A really reliable virus detection program must have BOTH a trustworthy authentication algorithm and a sophisticated implementation. I stressed the importance of sophisticated authentication algorithms only because as a newcomer to VIRUS-L, I was seeing a lot more discussion of implementation details and scanner programs than of quality authentication techniques. Please don't misinterpret me: PROGRAMS THAT PURPORT TO DEFEND AGAINST VIRUSES MUST BE EXTREMELY CAREFULLY WRITTEN. In my view, they should use the best and most sophisticated defenses available. Today, that means authentication algorithms should be based on published standards that have stood the test of time, such as ANSI X9.9. Obviously if a clever virus writer is able to orchestrate a situation in which the virus is never examined, then even a sophisticated authentication algorithm is of no use. What is needed is a well-written and convenient program that applies a sophisticated authentication algorithm across all program code without exception. Clearly this is better than a well-written and convenient program that applies some programmer's guess at an authentication algorithm across all program code without exception! The address where copies of ANSI X9.9 can be obtained didn't make it into my last posting. Sorry about that. Copies of ANSI X9 standards can be obtained through: Secretariat: American Bankers Association Standards Department 1120 Connecticut Avenue, N.W. Washington, D.C. 20036 I think the price is $15.00. I bet if you send a check and a mailing label with your return address on it, you'll get quick response. - -Bob Bosen- Vice President Enigma Logic Inc. 71435.1777@COMPUSERVE.COM ------------------------------ Date: Tue, 19 Dec 89 17:30:00 -0500 From: "Carl_A.Fassbender" Subject: Gatekeeper and Gatekeeper Aid (Mac) In Michigan State University's public laboratory, we have run into many viruses including the WDEF virus. We decided to put Gatekeeper and Gatekeeper aid on our system disks. To protect these files from being erased, they were made invisible using MacTools. Now in the control panel, the Gatekeeper icon does not show up. Question: Does this mean that Gatekeeper is not active? What about Gatekeeper Aid? ------------------------------ Date: Tue, 19 Dec 89 21:14:24 -0500 From: Steven C Woronick Subject: DES Availability IA96000 (name unknown, employee of "SWE"?) writes: >SWE first suspected and tested for the public key encryption method >for several reasons. The major reason was the lack of access people >outside of the United States would have to the DES encryption formula. > >For those not aware, the U.S. Government guards the DES formula, and >software which makes use of this formula may not be exported out of >the United States. Should it turn out that the DES formula was also >used, the authors of the AIDS "trojan", could possibly be prosecuted >under United States statutes pertaining to national security. Please correct me if I'm wrong, but isn't DES or DES-like encryption algorithms readily available? For example, the book "Numerical Recipes, The Art of Scientific Computing," by W.H. Press, B.P. Flannery, S.A. Teukolsky, and W.T. Vetterling, published by Cambridge University Press, (c)1986, p. 214-220 gives an algorithm for DES (two and one half pages of highly-inefficient FORTRAN-like code). Admittedly, the authors state that their program is not genuinely DES (since the standard itself explicitly states that any implementation in software is not secure and therefore not DES), but it does in software the same thing real DES hardware would do, so it is for all practical purposes DES. (Also, how does the claim that software versions of DES are technically not DES affect legal issues raised by IA96000@PACE about exporting DES?). Also, in my opinion, there is nothing special about DES except that it is a kind of "standard" algorithm (i.e. I think one can easily imagine other equally-difficult- to-decrypt algorithms). Steven C. Woronick | Disclaimer: These are my own opinions. Physics Dept. | Always check it out for yourself... SUNY at Stony Brook | Stony Brook, NY 11794 | Acknowledge-To: ------------------------------ Date: Tue, 19 Dec 89 20:55:00 -0500 From: IA96000 Subject: SWE HAS MOVED TO A NEW ADDRESS This is the final forward from SWE. Please be advised due to employment opportunities SWE is now in the process of moving to a new location. They no longer have any contact with Bitnet at this time. They can be reached via US MAIL at the following address: SWE C/O General Delivery Orlando, Florida To those who requested copies of the AIDS disk, SWE regrets to inform you the disks they had been working with have been returned to the customers who sent them. END OF MESSAGE ------------------------------ Date: Wed, 20 Dec 89 07:07:30 +0000 From: craig@tolerant.com (Craig Harmer) Subject: Re: AIDS Trojan (PC) dmg@retina.mitre.org (David Gursky) writes: >The AIDS Trojan Horse discussed by Alan Jay and John McAfee raises some >interesting questions about accountability. > > ... could the perpetrators be held liable under U.S. law for >damages, when the licensing notice clearly states the program is not >licensed to be used in the United States, and that damage will result >if you attempt to do so. actualy, the licensing notices reminds me of the popular "shrink-wrap" licenses where by breaking the shrink-wrap, you agree to the terms of the license. making the necessary action "running the program" doesn't seem much different to me (though i'm not a lawyer). so, assuming the people who's machines have been struck are in violation of a "legally enforceable" licensing agreement, is the destruction of data or denial of servicesomething they can sue over? some of the purveyors of data-block protection schemes for PCs seem to have provisions that cause the program to stop working if monthly payments aren't made. a friend of mine points out that there are also "good faith" types of clauses in the law that hold that given the method of distribution, the license agreement would not be valid. it would be highly interesting to see the PC Cyborg Corp. sue afflicted PC owners for breach of license! {apple,amdahl}!tolsoft!craig craig@tolerant.com (415) 626-6827 (h) (408) 433-5588 x220 (w) [views expressed above shouldn't be taken as Tolerants' views, or your views or my views. they are facts!] ------------------------------ Date: 20 Dec 89 11:24:34 +0000 From: anigbogu@loria.crin.fr (Julian ANIGBOGU) Subject: Re: AIDS Trojan Update (PC) Alan_J_Roberts@cup.portal.com writes: >A forward from John McAfee: > [deleted] >The directors are: Kitain Mekonen, Asrat Wakjira and Fantu Mekesse. Since the > names of the directors are all West African, it appears that the story told >by Ketema Corporation about representing a Nigerian software firm may be >close to the truth. The story unfolds. >[rest deleted] I would like to correct the impression your assertion creates. That is that the AIDS virus is from Nigeria. The names are quite exotic but as a Nigerian I'd like to inform you of a fact you neglected: that the names might be false . Well, Well, Well: the NAMES are all FALSE. We don't answer such names. As a regular user of the PC, just as I would like you to get to the bottom of this problem because it's a real international problem, I would like you to be objective. Somebody somewhere is/are covering his/their track(s) by stringing a red herring. Doesn't the name Mekonen remind you of a personality in Startrek? I'm ready to be flamed but I can assure you that the above names are fictitious. We certainly have not come of age in Computer Science to produce such destructive weapons. It's obvious that some malefactor somewhere is hiding under certain names to do his/their evil deeds. Julian --------------------------------------- e-mail: anigbogu@loria.crin.fr | All opinions expressed here are | | naturally mine. However ... | ---------------------------------------- ------------------------------ Date: Wed, 20 Dec 89 11:30:09 +0000 From: G.D.Shaw@durham.ac.uk Subject: Was AIDS disk legal? Martin Ward is quite right to say that: >the effects of this disk are entirely in accordance with the standard >warrenty used by most commercial software developers however, I do not think that makes it legal. Firstly there is the question of blackmail. This can mean either making an impropor demand, or using impropor means to enfore a legitimate demand. While it could certainly be argued that they are quite within their rights to demand payment, and could reasonably disable their own program until such payment was made, I would hope that planting a logic bomb that encrypted all the user's other files would not be considered a propor means of enforcing that demand. Secondly, there is criminal damage. This is trickier, since although a great deal of damage was certainly done, technically the program acts in full accordance with the information given in the warrenty. Furthermore, it is obviously not illegal to sell programs that can wipe your hard disk (eg. Norton, or most other disk utilities). I suspect that the issue might come down to one of causality: By writing the program, did the authors (legally) CAUSE the data to be lost , or was the chain broken by a voluntary act on the part of the user. Again, my hope would be that the former is the case. The authors almost certainly knew that most users would try out the program without reading, or without fully comprehending the implications of the warrenty. They were tricking the users into executing the program, and the users were behaving in a perfectly natural and predictible manner. Please note that I am not saying that every piece of defective software is a case of criminal damage: if you write a program in good faith, the element of mens rae does not exist (though that would not protect you against a civil or criminal action for negligence). In this case, though, I think it quite reasonable to conclude that the authors almost certainly acted with malicious intent. DISCLAIMER: I am a Astronomer, not a Lawyer. The above information is not warrentied for any purpose whatsoever. - -------------------------------------------------------------------------- Graham Shaw, Physics Department, Durham University, ENGLAND. 091-374-2138 JANET: G.D.Shaw@UK.AC.DUR.MTS EARN: G.D.Shaw%MTS.DUR.AC.UK@UKACRL INTERNET: G.D.Shaw%MTS.DUR.AC.UK@CUNYVM.CUNY.EDU STARLINK: DUVAD::GDS - -------------------------------------------------------------------------- ------------------------------ Date: Wed, 20 Dec 89 10:21:13 +0000 From: Alan Jay Subject: AIDS Information Disk (PC) > From: Martin Ward > > I feel that I should point out that the effects of this disk are > entirely in accordance with the standard warrenty used by most > commercial software developers Though most of them don't blatently say "if you don't I will destroy you." (see below) > (the ones which disclaim that the > programs are fit for any purpose at all, that XXX will disclaims all > responsibility for any damage or loss caused etc.) This is the kind that implies that if by mistake I do something that causes a problem tuff (in the US I believe several companies are trying to reclaim money caused by losses resulting from bugs in spreadsheet software). > Either these > warrenties are ILLEGAL or the perpetrators of this disk are entirely > within their legal rights to do what they have done. Does anyone (eg a > lawyer) know which is the case? Martin's point is interesting but worse still the warranty and license agreement sent out with the AIDS Infromation Disk specifically state that: "Warning: Do not use these programs if you are not prepared to pay for them'' and "..program mechanismis will adversely affect other program applications...'' and "..faliure to abide by this license......your conscience may haunt you for the rest of your life ....... your microcomputer will stop functioning normally." Generally if you read the license agreement you would NOT use the program. The legallity of the license is questionable but probably no more so than the comercial one described by Martin. At one time several reputable software companies were rumered to have been contemplating using a copy protection scheme that would have caused damage and data loss if the program was illegally copied. Luckily for us Software houses went the opposite way to a non copy protected world. Maybe this is nothing more than a copy protection scheme that isn't quite as good as it is supposed to be -- it has bugs that cause it to go off sooner than the anticipated 90days after installation. An antidote to the two known phases of the program mechanism has already been written and is available from our BBS (+44 1 863 6646) and from the PC Business World (Tel: +44 831 9252). We are only speculating that the program does other detrimental things to your system until they are seen the programs effects appear to be reversable. Whatever the reason behind this mailing it sould only warn people to remind ALL users not to use and disk sent to them, especially if it is unsollicited. Alan Jay PS If any users have installed the AIDS program then I can mail them the antidote for it. Please mail me with your requests. ------------------------------ Date: Wed, 20 Dec 89 10:50:00 -0500 From: John.Spragge@QueensU.CA Subject: Standard disclaimers and AIDS Trojan horse In VIRUS-L #261, Martin Ward asks whether the standard warranty is illegal, or the developers of the AIDS-trojan are within their rights. I am a programmer, not a lawyer, so I can not quote specific law with any authority; suffice it to say that the disclaimers that come with most of the software I buy observe that the liabilities of the manufacturer or distributor of a program vary between jurisdictions. However, from the point of view of a programmer, I can point out that there is a great difference between disclaiming responsibility for the way a program will behave on any arbitrarily chosen machine, and writing a program with the deliberate intention of causing harm. Whether a court would appreciate the difference remains to be seen, but in this case, if a case can be made that the demand for money the "AIDS" program makes is extortion, I doubt that any disclaimer could protect the authors. As for the legal (not to say ethical) question of whether is it is ever acceptable for a programmer to write a harmful program, there is (or was) a case that may shed some light on this issue: Eric Newhouse, in his newsletter on illegal programs, trojan horses, and viruses, claimed that a "legitimate" commercial outfit had written a trojan horse that claimed to crack softguard protection on a file, but actually destroyed the user's data. The claim he reported that the company in question made was that since an attempt to crack softguard protection was a violation of a license agreement, they data of such users was fair game. Mr. Newhouse indicated that the authors of this trojan were being taken to court, which may (if the issue is through the courts yet) shed some light on the judicial perception of this issue. John G. Spragge Taliesin Software Resources Limited Suite 212, 4 Cataraqui Street Kingston Ontario, K7K 1Z7 Phone: (613)545-9577, Bitnet: ------------------------------ End of VIRUS-L Digest *********************