woodside@ttidca.TTI.COM (George Woodside) (03/13/89)
First, the mail:
Addressing a controversial topic is sure to generate some strong responses,
and this one is no exception. Mail of the "Thank You" flavor outweighs the
"You Idiot" flavor by about 4-1, so I'll be pressing on. The majority of
the "You Idiot" mail is from senders who either admit, or display, limited
programming ability. For the benefit of those individuals: I appreciate
your concern. I am not attempting to aid in the spread of viruses, but in
your own understanding of them, and ability to defend yourself. People with
the ability to create a working virus will have found little or nothing
they didn't already know in the preceeding postings. There is certainly
nothing in them that isn't already available in the most fundamental books
about personal computers. The preceeding postings are also written at a
superficial level, and are missing quite a few specific things necessary to
make a real working virus. Those missing items would add nothing to the
layman's understanding of how a virus spreads or works, so are not
included. You need not take my word for this; contact anyone you know who
is knowledgeable in the system software field, and they will confirm it.
Sin of omission:
Part of a message received from Forrest Gehrke (feg@clyde.att.com):
...One method for a virus finding enough space to hide itself, that I have
seen, you have not mentioned. I have noticed that the so-called Pakastani
virus uses non-standard sectoring at tracks 37 and 38 for IBM PC
diskettes...
Mr. Gehrke is quite right. I did forget to mention this technique. While I
had heard rumors of it being in use, I hadn't seen it in any of the virus
code I've captured (again, I'm in the Atari ST world).
I have responded to all mail I have recieved (if it requested a response)
including mailing out copies of missed chapters. Several responses have
been returned by various mailers. If you requested something, and haven't
heard from me, either your request or my response failed.
Now, Chapter 3:
Once a virus has installed itself, and replicated as frequently as it has
found the opportunity, it will eventually launch whatever form of attack it
was originally designed to do. That attack is the real purpose of the
existance of the virus. Everything up to this point has been for the sake
of getting to this stage.
What will it do? Almost anything. The limits are imagination and code
space. The most benign virus I've seen claims to be an anti-virus. It
blinks the screen on boot-up. The idea is that if you see the screen blink,
you know that the benign virus is on the disk, rather than a more malicious
one. It does, however, spread itself just like any other virus. From there,
things proceed through the prank levels, time-triggered, messages, ones
which try to simulate hardware failures, to ones which destroy files and
disks. The actions vary from virus to virus. And, of course, there is a
whole different library of viruses for each machine type. Attempting to detect
a virus by describing or recognizing the symptoms is not only a task of
limitless proportions, it is too little too late. When the symptoms appear,
the damage has already been done.
Several viruses attempt to simulate hardware problems. (Conversly, I've had
several pleas for help with a virus that proved to be other types of
failures.) Frequently these viruses use timers to delay their actions until
the system has been running for some time, and to spread out their
activities to make the problem appear intermittent. Such virus induced
glitches include occasionally faking succesful disk I/O, while actually not
performing the read or write, altering the data being read or written, and
(more commonly) screen display glitches. It is very difficult for anyone to
determine whether such incidents are the results of a virus, or a real
hardware problem. When such incidents start to occur on your system, start
executing whatever virus detection software you have available, before
lugging your system off to a service firm.
Previously, I mentioned the use of write protected disks as a step in the
right direction to protect yourself. A large percentage of personal
computer systems now use hard disk systems. Floppy disks are more often a
backup media, or offline storage of files not needed on the hard disk for
day to day use. Backing up requires the disks to be writeable, as does
archiving off the infrequently used files. It is good practice to write
protect the archived disks as soon as the files are copied to them. Run
whatever virus checking software you have on the archive disks, write
protect them, and then file them away.
(When reading the following suggestions about protecting your system from
attacks, keep in mind that not all techniques can be applied to all systems
or all software. Read the documentation accompanying the software before
your first attempt to use it. Be familiar with what it is expected to do
before you run it, and you'll be more able to recognize unexpected activity.)
The next step is to apply write protection to whatever disks you recieve
software distributed on, before ever inserting them into a computer. Be
they Public Domain, User Group Libraries, Commercial Software, or whatever,
write protect them before you first read them. Then, make a backup copy if
possible. Finally, when first executing the new software, have only write
protected disks in your system. You should be well aware of any legitimate
attempt to write to a disk by the software before it happens, and have
adequate opportunity to insert a writeable disk when the proper time comes.
This will not only give you a clue to the presence of a virus in the new
software, but also protect the new software from a virus already resident
in your system.
If your system supports the use of a RAM disk, copy new software into the
RAMdisk before executing it the first time. Put write protected disks in
the drives, then execute the software from the RAMdisk. If the software has
no reason to access other disks, especially when starting itself up, be
very suspicious of any disk activity. The most common time for a virus or
trojan horse program to do it's dirty work is at startup, when it is
impossible to tell whether disk access is part of program loading, or some
clandestine operation. By having the software loaded into and executing
from memory, you will be able to detect any disk I/O which occurs.
Finally, backup everything. Hard disks, floppy disks, tapes, whatever. Make
backup copies, write protect them, and store them in a safe place off-line.
If you are attacked by a dstructive virus, your first problem is to rid
your system of the virus. Do not go to your off-line backups until you have
determined if your problem came from a virus, and if so, that you have
removed it from the system. A backup is useless if you give a virus a
chance to attack it as well as your working copy.
A significant portion of these three chapters have been related to boot
sector viruses. While the most common type in the Atari and MS-DOS world,
they are certainly not the only type.
What follows is next is mostly a re-phrasing of an article from "Los
Angeles Computer Currents", June, 1988. There are a few direct quotes from
the copyrighted article. While I do not agree with all that this article
states, I can not disprove the items from a position of experience. Since
my efforts here are to inform, you may judge for yourself. A significant
portion of my remarks are oriented to the Atari ST, but the concept is true
to most all personal computers.
An article in that issue, by Lewis Perdue, outlined the problems he faced
when the IBM PC running Ventura Publisher he was using to create the first
issue of PC Management Letter became infected. I won't begin to copy all
that, but the most interesting part of the recovery task was when they used
a normal (high-level) format program to clear the hard drive. It didn't
kill the virus. They had to resort to a low level format, and rebuild from
all original distribution disks. Their backups had been infected as well as
their working copies of the software. They relied on a PC specific tool
called Data Physician, by Digital Dispatch, to aid in the detection of the
virus. It implements techniques to diagnose infections, but it has to be
installed before the virus strikes.
Another, more interesting aspect of the article, was categorizing viruses
into four groups: Shell, Intrusive, Operating System, and Source.
Shell - these "wrap themselves around a host program and do not modify the
original program." In laymen's terms, such a virus would tack itself onto a
program file, so it would get loaded with the program. It would have to do
this in a manner that would cause itself to be executed before the host,
since the host certainly would not pass control to the virus.
This would be quite a complex task on an Atari ST (and on systems with a
similar structure for executable program files). The virus program would
have to be quite large in order to deal with the structure of an executable
file on the ST. In simple terms, an executable file (a program) is a series
of unique sections: a header, the code, data, a relocation map, and
possibly a symbol table. The header specifies the size of each of the
following segments. The code is the program, but in a form which will not
run until it has been relocated. The data is constants, literals, messages,
graphic data, etc. The relocation map tells the ST what changes to make to
the code before it can be run. The symbol table is not usually present,
except during program development. The reason behind this structure is that
when a program is created, it does not know where in memory it will reside
when it is executed. Things like RAMdisks, device drivers, accessories,
printer buffers, spelling checkers, and so on, may or may not be present in
the computer when the program is run. Since each of those things require
memory, the place where the program will wind up being loaded is unknown.
So, when it does get loaded, it has to be told where it is. And, since the
program will almost always contain references to itself (subroutines,
variables, etc.) it has to be modified so that those references point to
the right place. That's what the relocation map is for. It details how the
program has to be modified. Once the program is loaded into memory, and
fixed up, the relocation map and symbol table are discarded. So, to hook
into a program file, a virus would have to split the program file, attach
itself to the beginning of the code segment, (that's where execution
begins), re-attach the data, relocation, and (possibly) symbol table
segments, update the relocation map (all the original references would now
have moved), update the header, then re-write itself to the original disk,
assuming there was room on the disk for the (now bigger) file and that the
disk was not write-protected. That's a large amount of work to develop, and
a large amount of code to sneak into a system for the original infection.
I should mention here that it is not difficult to write "position
independant" code on most micro-processors. You have to set out to do that,
though, and take the necessary steps along the way to keep everything
position independant. Boot sector code is a well known example. The
address where the boot sector will be loaded into memory is unknown, and
there is no relocation done on the code. It has to be position independant.
It also has to fit in the boot sector. If it needs more than the amount of
space in the boot sector, it has to determine its own location, and load
the additional code itself. Of course, that means that it had to have a
place to store the additional code, and it had to know where to find it.
Those items were covered previously.
Detecting a "Shell" type virus is not difficult. When it attaches itself to
the target program, it must increase the size of the file. While it would
be a real nusiance to check file sizes on a regular basis, there are
programs available to do this for you. An "alteration detection" program
will typically accept a list of programs to recognize. It will write a data
file of its own, noting characteristics of each file in the list, such as
length and date, and then run a numeric algorithm across the file. The
numeric algorithm (typically a Cyclic Redundancy Check, or CRC) will yield
a value which is stored in the alteration detection program's own data
file. Then, on each subsequent execution of the alteration detection
program, it checks the recorded characteristics of each file in its list,
and re-executes the algorithm on the files. It reports back any file which
has been changed since it last executed. Needless to mention, such a
program must be run on the files to be monitored before any virus has an
opportunity to attach itself to those files. Then, it must be run frequently
to have a chance to detect altered files.
(Back to the types of viruses defined in the article)...
Intrusive - Intrusive viruses work by patching themselves into an existing
program. This type of virus has two possibilities - either it is willing to
render the host program useless, or it will attempt to co-exist with the
host. If it is willing to corrupt the host, this is not too difficult a
task. It would replace a part of the host program, modify the relocation
map, and wait to get run. When it did, it would abandon the original task
of the host program, and launch its attack. An example of this would be the
virus bearing version of a word processor which struck the IBM compatible
market some years ago. It signed on, looking just like a popular shareware
program, but it was busy re-formatting the hard disk while the user waited
for it to load and get ready to accept input.
The other flavor of intrusive virus, which attempts to co-exist with the
host program, is terribly difficult to create. It has to modify the host in
a manner that either accomplishes the host's task while also doing it's
own, or find a part of the host that is infrequently or no longer used, and
hide there. It would then have to modify some other part of the host in
order to get itself executed. In either case, a virus of this type has to
be aimed at one specific host program. There's no way it could perform the
analysis necessary to locate such portions of a randomly selected program.
For that reason, an intrusive virus has to target some program that resides
on a large portion of the target computer's installations, and that it is
certain will be available to tamper with when the virus introduction
occurs. That normally means either the Operating System, or some utility
program so common that it is found virtually every where.
Operating System viruses work by replacing a portion of the Operating
System with their own code. This is similar to the intrusive type, except
that it can use a new trick (and there are ones that do this on the
IBM/MS-DOS computers). As a part of the operating system, it can sneak out
to a hard disk, find an unused part, mark it as defective, and hide there.
That would mean only a very small part of the code would have to be hooked
into the operating system (possibly as an entry in a list of device
initializing routines). That small segment could then allocate adequate
memory for the real routine, and load it from wherever.
Source Code viruses - I found this type of virus to be a bit unbelievable.
The article reads (I quote):
Source code viruses are intrusive programs that are inserted into a source
program such as those written in Pascal prior to the program being
compiled. These are the least-common viruses because they are not only hard
to write, but also have a limited number of hosts compared to other types.
(end quote)
Sounds to me like this would be nearly impossible to accomplish in
after-market software. If, on the other hand, they mean a part of the
program added by a devious member of a development team, then, it is
credible. It brings to mind the story (which I can't verify, but I've heard
it from enough different sources to believe it is true) about what may well
have been the first virus. In case you're not familiar with "C" compilers,
they are usually several different programs, which must be run in proper
sequence, passing files and options from one to the next. Usually, this is
all done by a another program, a "compiler driver", which is almost always
called "cc". You execute "cc", passing it the necessary flags, and the
name(s) of the program(s) you want compiled, and it drives all the
necessary tasks to do it.
This was reported to have been done by one of the originators of the UNIX
operating system, (name deleted), back in the development days at Bell
Labs. Well, the story goes, he wrote the first versions of UNIX, "C", and
"cc". He had a "back door" to get into a system running UNIX. He built the
back door code into "cc". The code in "cc" checked to see what it was
compiling. If it was the module "login", it incorporated the back door into
the module, so that he could get into the system. If, on the other hand, it
was compiling "cc", it included the code both to re-create itself, and the
code to build the back door into "login". So, every "cc" had the code, and
consequently every UNIX system included the back door. Eventually, it was
discovered, and removed. There followed a frantic rebuilding of every UNIX
system in existance, so the story goes.
This is the final chapter which will be distributed via cross-posting.
Chapter 4 will relate specifically to viruses captured in the Atari ST
environment, and will be posted only to comp.sys.atari.st. It will come out
about 1 week after this one. This article was posted on March 13, 1989, so you
can determine the approximate delay to your receipt, in case you don't read
that newsgroup, but wish to locate the fourth chapter in comp.sys.atari.st.
End of Chapter 3.
--
*George R. Woodside - Citicorp/TTI - Santa Monica, CA
*Path: ..!{philabs|csun|psivax}!ttidca!woodsideosmigo@ut-emx.UUCP (03/15/89)
[George Woodside posts a continuation of "Virus 101"] You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" category. Count me, too, you idiot...|-:} No, your articles don't tell "how to write a virus" in the sense of providing sample source code, but they certainly present a clear blueprint. You go into great detail about how viruses can work, where they need to go, how they overcome obstacles and protections, etc., to the point of naming specific disk sectors. You state that a non-programmer won't get anything out of your article, and that a programmer can easily find this information in "any good computer book." If that's the case, why post it in the first place? Gimme a break. Also, keep in mind that comp.sys.mac is uploaded to many, many Mac BBS's around the country, including underground "outlaw" BBS's populated largely by high school and college hackers. I know of more than one local BBS of this type, where you can download virtually every Mac program on the market, and some people on there would LOVE to get their hands on this kind of information. Your articles remind me of a Reader's Digest article I saw some time back on "How to Protect Your House From Burglars." It was the best article on "How to burglarize a house" I'd ever seen. Ron =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > Ron Morgan {ames, utah-cs, uunet, gatech}!cs.utexas.edu!ut-emx!osmigo < > Univ. of Texas {harvard, pyramid, sequent}!cs.utexas.edu!ut-emx!osmigo < > Austin, Texas osmigo@ut-emx.UUCP osmigo@emx.utexas.edu < =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
clyde@ut-emx.UUCP (Clyde W. Hoover) (03/15/89)
Let me express a public "thank-you" for these articles. Security by obscurity NEVER WORKS FOR LONG. I prefer the potential dangers of everyone knowing to the guaranteed danger of ignorance. --------------- Shouter-To-Dead-Parrots @ Univ. of Texas Computation Center; Austin, Texas clyde@emx.utexas.edu; ...!cs.utexas.edu!ut-emx!clyde "You really have to take a broad perspective when giving pat answers to other people's problems." - Eyebeam
uace0@uhnix2.uh.edu (Michael B. Vederman) (03/15/89)
Many people are complaining about how this information can be used to write
a virus, even tho no code has been given.
FLAME ON!
Grow up People!!
This is the United States of America (at least the message originated here)
and the NET is a free network for exchange of information.
If you wanna stifle the free expression and dispersment of information, then
jump on the anti-porn bandwagon and join people who don't believe in the
BILL OF RIGHTS.
Any hacker worth a damn can disassemble the paultry 483 bytes of information
of a virus in the boot sector. Not to mention that the HitchHiker's Guide
to the BIOS is also on many pirate boards, and it explicitely states how to
write executable boot sectors.
Instead of showing your ignorance and naitivity at the resourcefulness of
a hacker, why not just send a letter bomb or something, and get rid of
George Woodside. There, I just told you how, are you gonna do it?
Information should be free to all. If you are gonna get offended by it,
then press the damn 'N' key, or don't call. You set yourself up to get
upset, and when it happens you bitch to everyone. Don't set yourself up,
avoid getting upset and everyone will be happier.
FLAME OFF!!
Have a nice day. Thanks for very informative articles.
As one of the authors of DC Formatter, which has 6 executable boot sector
options, I am fully aware of how it is done (and even have a single
function which will make an executable boot sector out of any code), but I
still found the articles enjoyable and very well written.
It is nice to have such good information without having to pay for it.
- mike
None of the above is shared by any of the other personnel at Double Click
Software. I alone am the culprit.
--
for (;;) : Use ATARINET, send an interactive
do_it(c_programmers); : message such as:
: Tell UH-INFO at UHUPVM1 ATARINET HELP
University Atari Computer Enthusiasts : University of Houston UACEcramer@optilink.UUCP (Clayton Cramer) (03/16/89)
In article <11179@ut-emx.UUCP., osmigo@ut-emx.UUCP writes:
. [George Woodside posts a continuation of "Virus 101"]
.
. Also, keep in mind that comp.sys.mac is uploaded to many, many Mac BBS's
. around the country, including underground "outlaw" BBS's populated largely
. by high school and college hackers. I know of more than one local BBS of
. this type, where you can download virtually every Mac program on the market,
. and some people on there would LOVE to get their hands on this kind of
. information.
.
. Your articles remind me of a Reader's Digest article I saw some time back
. on "How to Protect Your House From Burglars." It was the best article on
. "How to burglarize a house" I'd ever seen.
.
. Ron
That happens! I have a publication from the Bureau of Alcohol, Tobacco,
and Firearms, that tells you (with brand names and drawings of all the
parts) how to MAKE SURE YOU DON'T ACCIDENTALLY BUILD A MACHINE GUN!
The California Penal Code tells you how to build a Molotov Cocktail.
Anyone want to join the club where you have to stand in a corner for
a half hour and NOT THINK ABOUT PINK ELEPHANTS?
I've long wanted to understand viruses, and I'm pleased about the
postings, even though I never intend to build one.
--
Clayton E. Cramer {pyramid,pixar,tekbspa}!optilink!cramer
Anyone who wants to be a politician bad enough to get elected, shouldn't be.
----------------------------------------------------------------------------
Disclaimer? You must be kidding! No company would hold opinions like mine!holland@m2.csc.ti.com (Fred Hollander) (03/16/89)
In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: >[George Woodside posts a continuation of "Virus 101"] > >You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" >category. Count me, too, you idiot...|-:} [stuff deleted] >Your articles remind me of a Reader's Digest article I saw some time back >on "How to Protect Your House From Burglars." It was the best article on >"How to burglarize a house" I'd ever seen. > >Ron Not that I've read it but, you've just supplied an excellent example of how distributing information can be helpful for the *good* people. Probably the best way to learn how to protect yourself from burglars is to learn how they work. A good burglar makes a good security consultant. By publishing known methods used by computer viruses, people can write software to detect, kill or prevent viruses. Software can be designed to protect itself from infection. I think if you could keep everyone in the dark, we would all be much more vulnerable to infection and less equipped to combat an infection. Fred Hollander Computer Science Center Texas Instruments, Inc. hollander@ti.com The above statements are my own and not representative of Texas Instruments.
shawn@pnet51.cts.com (Shawn Stanley) (03/17/89)
holland@m2.csc.ti.com (Fred Hollander) writes: >In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: >>[George Woodside posts a continuation of "Virus 101"] >> >>You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" >>category. Count me, too, you idiot...|-:} > >[stuff deleted] > >>Your articles remind me of a Reader's Digest article I saw some time back >>on "How to Protect Your House From Burglars." It was the best article on >>"How to burglarize a house" I'd ever seen. >> >>Ron > >Not that I've read it but, you've just supplied an excellent example of how >distributing information can be helpful for the *good* people. Probably the >best way to learn how to protect yourself from burglars is to learn how they >work. A good burglar makes a good security consultant. > >By publishing known methods used by computer viruses, people can write >software to detect, kill or prevent viruses. Software can be designed >to protect itself from infection. I think if you could keep everyone >in the dark, we would all be much more vulnerable to infection and >less equipped to combat an infection. I think that compares more with police vs. burglars, or security systems vs. burglars. It only takes one programmer with virus code to mess up many users, and there are many more users than programmers. Tell me how unreasonable this is. Someone publishes virus code. Some programmers take up the code, mutate it a bit, and distribute the mutant virus(es). Other programmers realize what has happened (after the fact), and produce code to protect against those strains. The virus-writers produce code to avoid the protection. And so on. I'm told this is already happening. Now I ask, if virus code is published, and this is the result, then why spread more virus code? It leaves the users in the middle of efforts on both sides of the problem. The problem can only be solved after damage is done. It's a sticky problem, no? Knowledge is protection, to a point. And if anyone wishes to have that knowledge, I'm not against them having it. I don't think it should be kept from those who want it, but I do think that there are those that, if the code wasn't put into their hands without them having asked for it, might not have written viruses. To want to do something generally invokes more of a sense of responsibility. To do something "just because it's there" requires much less... UUCP: {uunet!rosevax, amdahl!bungia, chinet, killer}!orbit!pnet51!shawn INET: shawn@pnet51.cts.com
fozzard@boulder.Colorado.EDU (Richard Fozzard) (03/17/89)
In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: >No, your articles don't tell "how to write a virus" in the sense of providing >sample source code, but they certainly present a clear blueprint. You go into >great detail about how viruses can work, where they need to go, how they >overcome obstacles and protections, etc., to the point of naming specific >disk sectors. > >You state that a non-programmer won't get anything out of your article, and >that a programmer can easily find this information in "any good computer >book." If that's the case, why post it in the first place? Gimme a break. > >Your articles remind me of a Reader's Digest article I saw some time back >on "How to Protect Your House From Burglars." It was the best article on >"How to burglarize a house" I'd ever seen. > These points are well taken, but just to stimulate the debate, this is from the official statement by Computer Professionals for Social Responsibility (CPSR) on the Internet virus : "An effective way to correct known security flaws is to publish descriptions of the flaws so that they may be corrected. We therefore view the efforts to conceal technical descriptions of the recent virus as shortsighted." from the Winter 89 CPSR Newsletter The statement goes on to give a bibliography of both technical and non- technical articles about the Internet virus. One thing to remember is that we Americans allow in our culture plays, movies, TV shows, etc. that not only show how, but also glorify robbing banks, murder, sex, etc. It's the old argument about incitement versus freedom of speech. Certainly no one will accuse "Virus 101" of glorifying the writing of viruses (as does John Brunner's 'Shockwave Rider' or William Gibson's 'Neuromancer") - it reads more like a PBS documentary. Should we censor it? What does the net think? Rich Fozzard
osmigo@ut-emx.UUCP (03/17/89)
In article <7494@boulder.Colorado.EDU> fozzard@boulder.Colorado.EDU (Richard Fozzard) writes: >These points are well taken >"An effective way to correct known security flaws is to publish descriptions >of the flaws so that they may be corrected. We therefore view the efforts to >conceal technical descriptions of the recent virus as shortsighted." I agree totally with this statement, despite my alarm at the publication of "Virus 101." My main, basic objection, really, is that comp.sys.mac is too widely distributed to carry this kind of information. Perhaps a better approach would have been to ask for correspondence (i.e., e-mail) with those who were involved in writing antiviral code, and then furnishing them with the articles. This would have blocked access by users who read comp.sys.mac via BBS's, read-only setups, etc. Yes, I remember how back in the "good old days," the net was populated mostly with AT&T techies, researchers and the like, but let me make it clear that that is not, repeat NOT the case now. I understand how the information in the article would be useful for virus fighters, and priceless to a virus author. My analogy to a Reader's Digest article, where I compared the article to one on "How to Protect Your Home From Burglars," really isn't a good one. Burglaries are individual, isolated acts. Viruses are different. It only takes ONE person writing ONE piece of code to cause utter devastation on a global scale. Would anyone care to wager that somewhere out there, somebody's not playing with some code, with this article at his side? That's all it takes. Just one. I hope I'm wrong. Ron =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > Ron Morgan {ames, utah-cs, uunet, gatech}!cs.utexas.edu!ut-emx!osmigo < > Univ. of Texas {harvard, pyramid, sequent}!cs.utexas.edu!ut-emx!osmigo < > Austin, Texas osmigo@ut-emx.UUCP osmigo@emx.utexas.edu < =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
trebor@biar.UUCP (Robert J Woodhead) (03/17/89)
In article <7494@boulder.Colorado.EDU> fozzard@boulder.Colorado.EDU (Richard Fozzard) writes: > >These points are well taken, but just to stimulate the debate, this is from >the official statement by Computer Professionals for Social Responsibility >(CPSR) on the Internet virus : > >"An effective way to correct known security flaws is to publish descriptions >of the flaws so that they may be corrected. We therefore view the efforts to >conceal technical descriptions of the recent virus as shortsighted." > >from the Winter 89 CPSR Newsletter > Ah, "technical descriptions" is one thing, "source code" is another. Also, the Internet virus exploited security flaws that were within the power of system administrators to change. Macintosh viruses use published features of the OS that are not likely to change anytime soon (such as the resource manager). Publishing a description of "this is what Virus X does; you can detect is by looking for Y;the following procedure Z will remove it" is appropriate and laudable. Publishing "Here is the MPW source code of the new "Trash your Hard Disk" virus" is an invitation for misbehavior. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *
greg@bilbo (Greg Wageman) (03/18/89)
In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: >[George Woodside posts a continuation of "Virus 101"] > >You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" >category. Count me, too, you idiot...|-:} *You* are the idiot. >No, your articles don't tell "how to write a virus" in the sense of providing >sample source code, but they certainly present a clear blueprint. You go into >great detail about how viruses can work, where they need to go, how they >overcome obstacles and protections, etc., to the point of naming specific >disk sectors. >You state that a non-programmer won't get anything out of your article, and >that a programmer can easily find this information in "any good computer >book." If that's the case, why post it in the first place? Gimme a break. The information is useful to me, a professional programmer, so that I can recognize the symptoms of known viruses, should my systems catch any, and know what steps to take to remove them, and what damage control/recovery options I have. Got that? Yes, I could figure out (easily) how to write one of these babies from systems manuals. I don't need or want to do that. I also don't want to have to reverse-engineer existing viruses myself, if someone else has that information. Especially not after a virus hits; by then I've got enough trouble. No, I applaud Mr. Woodside's postings and encourage him to continue. >Also, keep in mind that comp.sys.mac is uploaded to many, many Mac BBS's >around the country, including underground "outlaw" BBS's populated largely >by high school and college hackers. I know of more than one local BBS of >this type, where you can download virtually every Mac program on the market, >and some people on there would LOVE to get their hands on this kind of >information. You know of BBS's that encourage theft, and you don't report them to the FBI? That *is* idiocy! If you were really the upstanding citizen you pretend to be, you would take steps to see these pirate boards shut down. They are not doing the software industry any good, nor are they any sort of modern "Robin Hoods", taking valuable software from "rich" software companies (Ha!) and distributing it to poor users. They are thieves. >Your articles remind me of a Reader's Digest article I saw some time back >on "How to Protect Your House From Burglars." It was the best article on >"How to burglarize a house" I'd ever seen. Oh? I suppose it told you what sorts of tools you'd need to break in, and listed sources? More likely it simply described well-known weak points in the house AND TOLD HOW TO CORRECT THEM. The same way Mr. Woodside's postings do. I'll bet you believe that distributing clean hypodermic needles to heroin addicts encourages people to use drugs, too. Give *us* a break. Longish .signature follows. Skip now, or don't complain! Greg Wageman ARPA: greg@sj.ate.slb.com Schlumberger Technologies BIX: gwage 1601 Technology Drive CIS: 74016,352 San Jose, CA 95110-1397 UUCP: ...!uunet!sjsca4!greg (408) 437-5198 ------------------ There's nothing I hate more than a Usenet posting which took three seconds to compose and three minutes to type, glibly dismissing three years (or three decades) of an author's work in three lines. ------------------ Opinions expressed herein are solely the responsibility of the author. (And the author wouldn't have it any other way.)
Bob_BobR_Retelle@cup.portal.com (03/19/89)
Fred Hollander writes: >By publishing known methods used by computer viruses, people can write >software to detect, kill or prevent viruses. *What* people...? You..? Me...? Maybe.. What about the guy trying to run a small office on a PC, who doesn't even know what a "compiler" is, and doesn't want to...? What about a teacher keeping grades and lesson plans, to whom "boot sector" means about as much as "dlch hksptl"..? None of this "Virus" information is likely to enable THEM to write their own protection... indeed, it's hardly likely that it will even REACH them... AND... the danger is, they may not even be ABLE to obtain "virus killers", or perhaps even know they're available... The analogy of protecting against burglers just doesn't work.. ANYONE can go to the store and buy a deadbolt lock, and probably install it successfully... Telling someone how to break into a house MAY enable them to more efficiently protect their own house, but it's NOT likely that broadcasting information about how viruses work will help the LARGE MAJORITY of computer users... It's easy to figure out how to break into a house... writing a virus will need detailed information, all distilled down into a neat package... like these postings.. BobR
Bob_BobR_Retelle@cup.portal.com (03/19/89)
Rich Fozzard writes: >One thing to remember is that we Americans allow in our culture plays, >movies, TV shows, etc. that not only show how, but also glorify robbing >banks, murder, sex, etc. It's the old argument about incitement versus >freedom of speech. ... Has anyone ever noticed for instance though, when the "Detective" on TV opens a door by picking the lock, he usually blocks what he's doing with his hands or body..? Or they'll show a fast shot of him sticking some arcane "detective lockpick tools" into the lock and suddenly the door opens... They're showing THAT it can be done.. NOT *how* it can be done.. If a movie or TV show started showing detailed instructions on how to pick locks, I think you'd hear quite a reaction, freedom of speech nonwithstanding... BobR
rob@baloo.eng.ohio-state.edu (Rob Carriere) (03/19/89)
In article <7494@boulder.Colorado.EDU> fozzard@boulder.Colorado.EDU (Richard Fozzard) writes: >Should we censor [virus 101]? > >What does the net think? I have no idea what the net thinks, but here's my opinion. There are three groups to consider here: 1) The intended audience, people who want to be informed and have no desire to write viri themselves. Obviously no problem with this group. 2) The true hacker. They either already know this information, or they know where to find it. Again no problem, as these postings aren't helping them. 3) The casual would-be hacker who's just been inspired into trying. Group three seems to be a problem until you compare what has been said with what you will have to do to get a working virus. You will need a thorough knowledge of the machine, system calls and assembler to do all this, even with the ``blueprints'' at hand. The recreational programmer is simply not up to this, and again, people who already knew enough do not need these postings. The moment you look at the description of the bootsector, it is obvious that you can stick a virus there; on the other hand, if you have never looked at the bootsector, then somebody telling you it can be done isn't going help you very much, you'll still need to study all the relevant material. I *would* strongly object to spreading virus source code, because that *can* be used by low-level amateurs. SR
holland@m2.csc.ti.com (Fred Hollander) (03/20/89)
In article <15976@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: >Fred Hollander writes: > >>By publishing known methods used by computer viruses, people can write >>software to detect, kill or prevent viruses. > > *What* people...? You..? Me...? Maybe.. > >What about the guy trying to run a small office on a PC, who doesn't even >know what a "compiler" is, and doesn't want to...? > >What about a teacher keeping grades and lesson plans, to whom "boot sector" >means about as much as "dlch hksptl"..? > >None of this "Virus" information is likely to enable THEM to write their >own protection... indeed, it's hardly likely that it will even REACH >them... AND... the danger is, they may not even be ABLE to obtain >"virus killers", or perhaps even know they're available... Neither will they write the next virus! >The analogy of protecting against burglers just doesn't work.. ANYONE >can go to the store and buy a deadbolt lock, and probably install it >successfully... The analogy is more appropriate than that. Someone can develop a "deadbolt" that prevents a virus from infecting a Mac and distribute the virus through BBS's, user groups and networks. >Telling someone how to break into a house MAY enable them to more efficiently >protect their own house, but it's NOT likely that broadcasting information >about how viruses work will help the LARGE MAJORITY of computer users... > >It's easy to figure out how to break into a house... writing a virus will >need detailed information, all distilled down into a neat package... like >these postings.. Some of the viruses have used extremely simple methods. I'll bet at least 90% of the hackers on this net could have written one if they wanted to. >BobR Fred Hollander Computer Science Center Texas Instruments, Inc. hollander@ti.com The above statements are my own and not representative of Texas Instruments.
gwyn@smoke.BRL.MIL (Doug Gwyn ) (03/20/89)
In article <15978@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes:
-Has anyone ever noticed for instance though, when the "Detective" on TV
-opens a door by picking the lock, he usually blocks what he's doing with
-his hands or body..? Or they'll show a fast shot of him sticking some
-arcane "detective lockpick tools" into the lock and suddenly the door
-opens...
Indeed, often they show an actual lockpick inserted into the keyway and
the door magically opens. Of course that's not how lockpicks work.
-They're showing THAT it can be done.. NOT *how* it can be done..
-If a movie or TV show started showing detailed instructions on how to
-pick locks, I think you'd hear quite a reaction, freedom of speech
-nonwithstanding...
The movie "Thief" (starring James Caan) drew quite an outcry from the
safe & vault profession, because its portrayal of drilling and burning
bars wasn't far enough removed from reality.
This topic doesn't belong in the PC newsgroups, so I've directed
followups to misc.security.steve@pnet51.cts.com (Steve Yelvington) (03/21/89)
greg@bilbo (Greg Wageman) writes: >In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: >>[George Woodside posts a continuation of "Virus 101"] >> >>You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" >>category. Count me, too, you idiot...|-:} > >*You* are the idiot. > This sort of thing is precisely why a virus newsgroup is needed: so that flatulent debate, bickering, name-calling and pointless chewing-up of net bandwidth can be confined to a single easily ignored newsgroup. Then perhaps messages of *substance* about viruses can be cross-posted. Come on, folks. You're not in grade school any more. UUCP: {uunet!rosevax,amdahl!bungia,chinet,killer}!orbit!pnet51!steve ARPA: crash!orbit!pnet51!steve@nosc.mil INET: steve@pnet51.cts.com ----------- -or- stag!thelake!steve@pwcs.StPaul.GOV "A member of STdNET -- the ST Developers' Network"
greg@bilbo (Greg Wageman) (03/22/89)
In article <15976@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: >Fred Hollander writes: > >>By publishing known methods used by computer viruses, people can write >>software to detect, kill or prevent viruses. > > *What* people...? You..? Me...? Maybe.. > [Description of plain-jane users deleted] >None of this "Virus" information is likely to enable THEM to write their >own protection... indeed, it's hardly likely that it will even REACH >them... AND... the danger is, they may not even be ABLE to obtain >"virus killers", or perhaps even know they're available... This attitude is reprehensible, in that it implicitly assumes that none of these people are interested in LEARNING something about the machines they use. EVERYONE was a BEGINNER at some time. The way you become something else is by READING TECHNICAL INFORMATION, such as these postings. Witholding this or ANY information is a TOTALITARIAN concept and is contrary to the principles of a FREE SOCIETY. Who are YOU to decide what knowledge is "dangerous"? WHO MADE YOU THE OFFICIAL NETWORK CENSOR? What do you do next, post a list of books to burn? >The analogy of protecting against burglers just doesn't work.. ANYONE >can go to the store and buy a deadbolt lock, and probably install it >successfully... You evidently don't know anyone who is "all thumbs". I don't think my 70-year old Aunt could do it, either, even if she had the proper tools, which she doesn't. BUT, she can HIRE SOMEONE ELSE TO DO IT, once she knows what she wants done! This is certainly true of your uneducated plain-vanilla users. THEY WON'T KNOW WHAT THEY NEED UNLESS SOMEONE PUBLISHES THE INFORMATION. >Telling someone how to break into a house MAY enable them to more efficiently >protect their own house, but it's NOT likely that broadcasting information >about how viruses work will help the LARGE MAJORITY of computer users... It will help by making anti-viral programs as widespread as some viruses. >It's easy to figure out how to break into a house... writing a virus will >need detailed information, all distilled down into a neat package... like >these postings.. It isn't "easy to figure out" if your mind doesn't work that way. This information shows us how a virus-writer's mind works, and lets us write more effective defenses. First lesson in a war: KNOW YOUR ENEMY! Longish .signature follows. Skip now, or don't complain! Greg Wageman DOMAIN: greg@sj.ate.slb.com Schlumberger Technologies UUCP: ...!uunet!sjsca4!greg 1601 Technology Drive BIX: gwage San Jose, CA 95110-1397 CIS: 74016,352 (408) 437-5198 GEnie: G.WAGEMAN ------------------ Opinions expressed herein are solely the responsibility of the author. (And the author wouldn't have it any other way.)
dav@eleazar.dartmouth.edu (William David Haas) (03/22/89)
In article <15978@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: >Rich Fozzard writes: >>One thing to remember is that we Americans allow in our culture plays, >opens a door by picking the lock, he usually blocks what he's doing with >his hands or body..? Or they'll show a fast shot of him sticking some >arcane "detective lockpick tools" into the lock and suddenly the door >opens... > >They're showing THAT it can be done.. NOT *how* it can be done.. Its a good thing you don't read misc.security..... you would have complained about some of its recent postings.... i.e. how to pick a lock. _ "Shadow, do something! Those flying Morpheous / \ birds are going to get us!" Psimon / _ \ shadow master / //\ \ "O.k., o.k., I'll cast Dav El II / // \\ \ Transmute Roc to mud." / /____\\ \ We are the /________\\ \ warrior spirit. \__________\/
trebor@biar.UUCP (Robert J Woodhead) (03/23/89)
In article <763@snjsn1.SJ.ATE.SLB.COM> greg@sj.ate.slb.com (Greg Wageman) writes: >Witholding this or ANY information is a TOTALITARIAN concept and is >contrary to the principles of a FREE SOCIETY. Who are YOU to >decide what knowledge is "dangerous"? WHO MADE YOU THE OFFICIAL >NETWORK CENSOR? What do you do next, post a list of books to burn? I totally agree. Please publish all the trade secrets of your employer immediately. It's totally contrary to the principles of a free society, after all. Please don't make such ludicrously broad statements. It is up to each individual to decide what is and what is not dangerous. If I feel it is, I can't compel you not to. I can try and convince you that your action is foolhardy. >You evidently don't know anyone who is "all thumbs". I don't think my >70-year old Aunt could do it, either, even if she had the proper >tools, which she doesn't. BUT, she can HIRE SOMEONE ELSE TO DO IT, >once she knows what she wants done! This is certainly true of your >uneducated plain-vanilla users. THEY WON'T KNOW WHAT THEY NEED UNLESS >SOMEONE PUBLISHES THE INFORMATION. They don't need in depth technical info, which you have just stated they won't understand, to make this decision. Thus, your example is spurious. >It will help by making anti-viral programs as widespread as some >viruses. As the author of several of these programs, let me tell you, they are. >It isn't "easy to figure out" if your mind doesn't work that way. >This information shows us how a virus-writer's mind works, and lets us >write more effective defenses. First lesson in a war: KNOW YOUR ENEMY! You don't publish info on safecracking in order to promote the development of better safes; rather, you narrowcast the information to appropriate recipients. A perfect example was the Internet worm. If Morris had simply mailed a copy of a program that, when run, told a sysadm whether his machine was vulnerable and suggested a patch, or even just published it, he would have been lauded. Instead, in his "attempt" to publicise the problem, he broadcasted the information in the form of a worm and was reviled for it. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *
jwright@atanasoff.cs.iastate.edu (Jim Wright) (03/23/89)
In article <779@orbit.UUCP> steve@pnet51.cts.com (Steve Yelvington) writes: | greg@bilbo (Greg Wageman) writes: | >In article <11179@ut-emx.UUCP> osmigo@emx.UUCP (Ron Morgan) writes: | >>>[George Woodside posts a continuation of "Virus 101"] | >>You mentioned 1 out of 4 e-mail respondents falling in the "you idiot!" | >>category. Count me, too, you idiot...|-:} | >*You* are the idiot. | This sort of thing is precisely why a virus newsgroup is needed: so that | flatulent debate, bickering, name-calling and pointless chewing-up of net | bandwidth can be confined to a single easily ignored newsgroup. Then perhaps | messages of *substance* about viruses can be cross-posted. I've been staying out of this till now, but Steve's comments were too much. Comp.virus is NOT being created so people can call one another names. If you think so, you are sadly mistaken and simply have not read the proposal. I suggest that you look at a few back issues of the mailing list virus-l to get a feeling for the proposed group. They can be found, among other places, on lll-winken.llnl.gov (anonymous ftp). If you want to call people names, use email. If you really feel it deserves to be posted, I suggest you form a new group, alt.virus.meta-discussions&flamage Anyone who has questions regarding comp.virus, the appropriate place to discuss them is in news.groups. -- Jim Wright jwright@atanasoff.cs.iastate.edu
ts@cup.portal.com (Tim W Smith) (03/23/89)
This debate seems to be between two viewpoints. The first is that security information should be limited to those who are responsible for maintaining security. The second is that it should be freely available. Why not do both? Release the information first just to security people. Then after a few weeks or months, release it to everyone. Tim Smith
american@pnet51.cts.com (Jeff Iverson) (03/25/89)
ts@cup.portal.com (Tim W Smith) writes: >This debate seems to be between two viewpoints. The first is that >security information should be limited to those who are responsible >for maintaining security. The second is that it should be freely >available. > >Why not do both? Release the information first just to security >people. Then after a few weeks or months, release it to everyone. Well, the only question I have about this is how do WE or the moderators decide WHO deserves to receive the information? If security people first, then how is that determined? No flame, but it's another, but nicer, form of censorship. UUCP: {amdahl!bungia, uunet!rosevax, chinet, killer}!orbit!pnet51!american ARPA: crash!orbit!pnet51!american@nosc.mil INET: american@pnet51.cts.com Disclaimer: Yes, that's what I said. No, that's not what I meant.
pj@pnet51.cts.com (Paul Jacoby) (03/25/89)
Indeed, how does one know an 'expert in need of detailed information' from a charlatan? Especially in our faceless electronic universe? Public dissemination of volatile information generally leads to this kind of "we know best" attitude--witness what happened when someone wrote a college thesis on how to build an atomic bomb! All info gathered from public sources--ya just gotta know how to put it all together (well, and find some plutonium). The whole virus issue is just as polarizing... .-----------------------------------------------------------------------------. | UUCP: {rosevax, crash, orator}!orbit!pnet51!pj | "Ah! I see you have the | | ARPA: crash!orbit!pnet51!pj@nosc.mil | machine that goes | | INET: pj@pnet51.cts.com | 'BING!'" | `-----------------------------------------------------------------------------'
trebor@biar.UUCP (Robert J Woodhead) (03/26/89)
In article <816@orbit.UUCP> pj@pnet51.cts.com (Paul Jacoby) writes: >Indeed, how does one know an 'expert in need of detailed information' from a >charlatan? Especially in our faceless electronic universe? > > ... > >The whole virus issue is just as polarizing... I agree. There are always problems when you want to determine who has a proper "Need to know". Like most other things in life, it's a balancing act. When _you_ or _I_ make a decision to post information about a virus, we _must_ think for a moment and say "Will this information do more harm than good to the population of computer users it might affect (this is not just the readers btw)?" That is the central judgement that must be made by the disseminator of information. Let's assume I have dissasembled the latest virus. What information do I broadcast? Clearly, I should publish a _description_ of the virus, what it does, and how to detect / repair it. This will allow users to determine if they have been infected, and take appropriate steps. Lets say that message is read by Snidely Whiplash's teenage hacker son. Will this data allow him to create a new virus. No - it does not give him any information about virus writing he didn't already have, or, if he is a decent programmer, could not trivially deduce. Next level : I disassemble the virus and find it has a tricky new infection vector used to avoid current "Watchdog" init's like Gatekeeper. Publically, I would state "This virus beats Gatekeeper vX.Y". Privately, I would get in touch with anti-virus toolmakers and disseminate the information about how it does so, and suggest remedies. Most likely I would do so by sending an example of the virus to interested parties whom _I_ judged to have a need for it. Snivelly Whiplash (the aforementioned son) could eventually get a copy of this virus; however, by limiting access to the information to people _I_ judge (my call, I'm responsible for my actions) to need it, I give the anti-virus toolmakers time to upgrade their products before Snively comes out with a mutant strain. Finally : I have the MPW source code to the latest strain. I would learn what I could from it; disseminate information on the above levels; and destroy the source code. I would not distribute it in any way. Consider what happened with nVIR with all the mutant strains, and now Hpat and AIDS. Jerks who can cut and paste are putting out mutant strains, all because the author (who shouldn't have written the damn thing in the first place) let the source code out. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *