AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") (04/03/88)
I have a few comments onthe "viruses" article that Patt Haring posted from the Apple Cider/Computer Corner BBS: >Date: Tue, 22 Mar 88 00:51:42 GMT >From: Patt Haring <phri!dasys1!patth@nyu.EDU> >Subject: Computer viruses and the Apple ][ > >Please feel free to copy and upload this post to any and all systems that >you wish to but please leave in this credit: Courtesy of the Apple >Cider/Computer Corner BBS, Queens, New York. 300-1200-2400 baud 24 hours, DLX >multiuser system, official Apple and IBM users groups, 718-482-0089. >We have a problem in the Apple computer family. Viruses have begun to >invade our programs. > > [...] > >5) Be careful of what you download- a virus could be hidden in anything. > >Possible targets are: > CDAs, NDAs, and fonts for the Apple II GS > [...] > Picture files, song and voice files and other 'execable' files. > These are files that you 'run' and they show you a picture > or play a song while they implant themselves into or destroy > your system. All right, CDAs and NDAs are always possible targets. FONTS and PICTURES are possible targets *only* if you have to EXEC them to make real FNT ($C8) or PNT ($C0) or PIC ($C1) files out of them. These files do *not* get executed under any normal circumstances. The danger is that EXECing a file gives it a chance to do anything it wants, NOT just create the FNT or PIC or PNT files or whatever it's supposed to create. For example, it would be possible to make a small change to the Hex data at the beginning of what *looks like* an "Executioner"-format file, to give control to part of the data just stuffed into memory. These difficulties do *not* exist with files that you unpack with BLU or something similar, provided the files are things like FNT, PNT, or PIC--things that don't get executed. (And assuming your unpacking utility has not been modified to give control to a file it unpacks when it detects a certain pattern of bytes in the file!) >Our best defense is to be smart- try not to use hard drives for downloaded >or other high risk programs. To clarify: If you have doubts about the cleanness of a piece of software, turn off your hard drive before running the software, *and* power down your computer after running it and before turning on your hard drive. (On a //e or //c, an Apple-Ctrl-Reset is safe, but on a IIgs there are ways to keep utilities (& viruses) around across an Apple-Ctrl-Reset. On the IIgs, you can do a self-test or an "ice-cold boot" instead of powering down.) To clarify further--this stuff applies to all your disks, not just hard drives. It boils down to this: you need to keep your "safe" disks and your "possibly infected" disks SEPARATE. Once you have run something from an infected disk, DO NOT use a "safe" disk (unless it is physically write protected) until you clean out the system by powering down (or as described in the previous paragraph). >Keep your hard drives off as much as possible. Not necessary. It only takes *one* careless act to allow your hard drive to get infected. Adopt safe practices as described above and you can use your hard drive as much as you want. >Make and keep several layers of backups. Yes. And don't let your backup/restore utility get infected. You might want to run it off a disk that you always keep write-protected. >Test run new versions of programs and utilities many times before making >them an integral part of your system. Well--this may not help a lot. It's easy to have a virus trigger after a certain number of runs, and how would you decide *how many* times to run it before declaring it "safe"? Also, on machines with clocks (all IIgs's) it's easy to have the virus trigger based on the date. [You *might* want to turn off your hard drive and run suspect software with your clock set to a future date--although this could still easily miss triggering a date-related virus.] >Be suspicious of free utilities--GS users watch out for CDA's and NDA's... Cost is not a good test--*source* is much more important. For example, anything that *I* wrote and uploaded to CompuServe or GEnie is safe. Some of this stuff is free and some of it is not. Similarly, there are a number of regular CompuServe users (Bredon, Harper, Zink, etc.) that I trust because they have written and uploaded useful stuff for a period of time. (Of course, this implies that I trust CompuServe's security & the security of the uploaders' passwords.) >I JUST HEARD THAT A FRIEND OF MINE LOST A FULL 20 MEG SIDER DRIVE >WITH A HIGHER VERSION OF PROSEL. BE CAREFUL, PLEASE. Your friend should pay Glen Bredon the $40 for ProSEL and then get updates from Bredon through the mail, or from CompuServe or some other system that Bredon uploads encrypted updates to. (I have confidence in the security of Bredon's passwords.) Feel free to redistribute these comments if you think they will be helpful to someone. --David A. Lyons a.k.a. DAL Systems PO Box 287 | North Liberty, IA 52317 BITNET: AWCTTYPA@UIAMVS CompuServe: 72177,3233 GEnie mail: D.LYONS2