VIRUS-L Digest Friday, 22 Dec 1989 Volume 2 : Issue 268 Today's Topics: Re: Virus trends WDEF virus infects Lehigh (Mac) WDEF / Apology to Mainstay Software (Mac) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's LEHIIBM1.BITNET for BITNET folks). Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk [Ed. You may notice a slight format change here - the Topics are listed before the "boilerplate". This was suggested to make browsing the subject lines easier. Goes to show you - some people only read articles with interesting and informative Subject: lines... "That's the news and I am out of here." - Dennis Miller, SNL] --------------------------------------------------------------------------- Date: Fri, 22 Dec 89 09:37:04 -0500 From: dmg@retina.mitre.org (David Gursky) Subject: Re: Virus trends I wish to take issue with Gene Spafford's Theorem 4: "Theorem #4) Within the next few years, there will be at least one major problem where some purported anti-viral/security software will be made available, and it will contain a logic bomb or trojan horse in it that causes more damage than what it is supposed to fix. (Minor thesis: the likely author of such software will be someone marketing commercial security software, and the logic bomb version will be a public-domain package not traceable to the author. The purpose -- to discredit public domain anti-virus software.)" This assumes the unavailability of high-quality PD/Shareware/Freeware anti-electronic vandalism software, or rather, that at a certain point in time, such software will not be available (i.e. the existing software will be outmoded, as say Interferon is). It also assumes the author is able to completely cover his or her steps, as Spaf does correctly point out, but I would counter that this is harder than it seems. Consider the current situation. Of the PD/SW/FW tools in use today (FluShot Plus, Gatekeeper, Disinfectant, et. al.), their authors are well known, and it is well known when they release new copies of their software. Any Trojan Horse masquerading as a tool against electronic vandalism would therefore have to be as good as these tools, and would probably have to be much better. Otherwise, people will simply keep using what they are using (look at how many people still use Interferon!) If people are not going to easily switch from one PD/SW/FW to another, there is an inherited limiting factor on the "effectiveness" of a Trojan Horse implanted in anti-electronic vandalism tools. Furthermore, the code hiding the logic bomb will have to persist in a large number of unknown user configurations. Look at the new WDEF virus on the Mac. It is simply incompatible with the new Mac IIci, and it doesn't like the IIcx or any Mac with 8M of RAM that much either. I would worry much more about the following: "Theroem 6": As the trend towards open systems continues, where a given programming environment can exist over several platforms (Examples: Smalltalk/V under the Mac OS and Presentation Manager, X-Windows, etc), instances of machine dependant vandalism will decrease, and environment dependant vandalism (example: The Dukakis Hypercard Virus) will increase. The power of the specific machine's operating system will be easier to access through these programming environments, opening up these systems to a larger number of people, and consequently to a larger number of vandals. ------------------------------ Date: Fri, 22 Dec 89 00:00:00 +0000 From: "Rich Silvius" Subject: WDEF virus infects Lehigh (Mac) We discovered the WDEF A virus on each of the five Mac computers in our User's Area. Two of the Macs also had nVirA. Disinfectant 1.5 was used to successfully clean up both viruses. We posted signs in the User's Area and a system bulletin on our Network Server [Ed. IBM mainframe] to notify the campus community. We had a small reoccurrance the next day, but for now, all is well. Other labs were notified about the WDEF virus and given Disinfectant. It also showed up in the Ed Tech lab of the University. ------------------------------ Date: Fri, 22 Dec 89 12:51:35 -0500 From: jln@acns.nwu.edu Subject: WDEF / Apology to Mainstay Software (Mac) I have a major public apology to make to 1st Aid Software. I just learned that their product Anti-Virus Kit is effective against the new WDEF virus, and I have been saying that "none of the popular virus prevention tools were effective against WDEF." This was obviously a gross error on my part. My only excuse is that I don't have a copy of Anti-Virus Kit that I can use for testing. This is not a good excuse - - I shouldn't have made the statement if I couldn't back it up. 1st Aid Software deserves a great deal of credit for having the only virus prevention tool that was capable of catching WDEF. Everybody else failed, including Symantec's SAM, HJC's Virex, Gatekeeper, and Vaccine. I don't know about MainStay's AntiToxin - I don't have a copy of that either (yet). In the future I'll try very hard not to make claims that I can't back up with solid evidence. John Norstad Northwestern University jln@acns.nwu.edu ------------------------------ End of VIRUS-L Digest *********************