SEWALL@UCONNVM.BITNET (03/24/88)
Please feel free to copy and upload this post to any and all systems that you wish to but please leave in this credit: Courtesy of the Apple Cider/Computer Corner BBS, Queens, New York. 300-1200-2400 baud 24 hours, DLX multiuser system, official Apple and IBM users groups, 718-482-0089. ATTENTION We have a problem in the Apple computer family. Viruses have begun to invade our programs. A little history and background is in order - first, what is a virus? A virus is a small program that is hidden inside any larger program. A virus acts to create damage to the user's system - it might do this by erasing the hard drive or by wiping out any data currently in memory. A virus might lie dormant, hidden inside the parent program for a great period of time but out any data currently in memory. A virus might lie dormant, hidden inside the parent program for a great period of time but all of a sudden it might come to life and crash your entire system. Where do viruses come from? Well, they come from a number of places. The first place a virus starts is in the mind of a very disturbed person, a person who wants to do nothing but wreak havoc among many computer systems. This person sits down and writes a few lines of computer program that does the necessary damage. He could modify the virus so that it does not activate until a certain condition has been met - a set number of copies of the master, a set number of operations in a program, or even set the virus to become active on a certain date or time. All of these things are easy to do, many other conditions might be possible as well. Finally, when this condition is met, the virus wakes up and does it's damage. How is a virus spread? The most commonn way for a virus to spread is for it to be tied into a program that is spread about a great deal. Prime targets are Public Domain and Freeware programs that are easy to upload and download from telecommunications services (Genie, The Source, Compuserve) and private bulletin boards. Every time the infected program is uploaded to another system, or copied and given to a friend, the virus is spread. Remember, the virus is small and totally hidden - there is no way to know that you are passing on the virus. Just as an aside - if you think that this is a joke - think again. The action of the computer virus is the same as a virus that infects people - that's why it's called a virus. Just like the AIDS virus, and the Hepatitis virus, you can pass it along without even knowing that you have done so. Why are viruses just entering into the Apple world? The computer virus is not a new thing. There have been viruses around for IBM and IBM compats for over a year. There is a simple reason for their spread into the Apple world. One of the worst things that a virus could do is wipe out a hard drive - on IBM and compats, if the system has a hard drive, the hard drive is always connected and turned on - you can't operate the computer without the hard drive. Therefore, the computer is always open to attack - every time the computer is turned on, it's a sitting duck. In the Apple II series of computers, all the hard drives are external and can be turned off. An Apple II will run without it's hard drive, it's not a sitting duck all of the time - our first line of defense. The growth of the Apple IIgs, will lead to an increase in the number of large (20,40 and 60 meg) hard drives that people will use these large drives are an inviting target to these virus writers and I am sure that plenty of shots will be fired. For the Mac series, several models have internal hard drives - these are just as open to attack as the IBM systems. As more and more of these systems are put into use, the number of targets will increase as will virus activity. How do we protect ourself and our systems? There are several things that we can do to try and limit the spread and damage of the viruses. 1) If you are in the habit of downloading software from telecommunications boards - keep all hard drives turned off during the download process. I MEAN POWER OFF, NOTHING SPINNING - A WELL WRITTEN VIRUS CAN BREAK THROUGH MANY THINGS - THE ONLY SURE PROTECTION IS TURN IT OFF. Download into RAM disks and transfer to 3.5 or 5.25 floppy or download right to floppys. 2) Once you have the program on a floppy disk, I suggest that you run it from a floppy several times before letting any hard drives come on -line. If the virus is tied into a set number of boot-ups, you might save your self in this way. Also, exit the program through the proper channels - a virus counter could be tied into the quit routines as easily as the boot routines. 3) Backups - there is a possible problem with backups. If the virus is the type that lies dormant for a long period of time, it might wait until the backups are infected before becoming active. Then you go to your backups and everything seems fine but the virus is there, embedded somewhere deep in the backup disks and sure enough, it will wake up when it's conditions are met and will cause it's damage. One possible answer is to make frequent backups and keep the old ones - don't use the same disks over and over. An example: let's assume that you back up your system twice each week. If you were to save backups for 4 weeks then you would have 8 sets of backups to fall back on. I admit that the further back you go, the older the data is but having to recreate 2 or 3 weeks of data would be better than recreating an entire database or financial record. The more backups you have to fall back on, the better off you might be if the virus strikes. Also, if you can separate volumes on your hard drive - place programs separate from data. When you backup your system, there will be separate backups sets for each hard drive volume - if the virus is hidden in the programs, your recent data backups might be spared. Don't assume that this is the great cure - a creative virus writer can put tags into data files that are written with the infected program and cause the data to crash as well. This is just a thought that might help. 4) Protect business data carefully - if you use your computer for both your business and pleasure try not to mix the two areas. Keep business data on a separate hard drive and only use it with proven, safe, properly obtained programs. Let's get right down to it - let the business buy it's own system and keep it separate from the home - a business expense is deductible through the business anyway. If you lose the business database because you wanted to try out that new program that your friend just gave you, won't you feel foolish or even loose your job??? Keep business and pleasure separated. 5) Be careful of what you download - a virus could be hidden in anything. Possible targets are: CDA's, NDA's, and fonts for the Apple IIgs New versions of popular programs and utilities - the only new thing if the virus that the hacker has added and the change he made to the version number. Picture files, song and voice files and other 'execable' files. These are files that you 'run' and they show you a picture or play a song while they implant themselves into or destroy your system. Remember that the virus writer is a very smart person. They have advanced knowledge of machine language programming, disk operating systems, data manipulation, and a knowledge of where to hide the virus to do the most damage. The virus will pe placed in the programs that will spread the fastest across the country and from BBS system to BBS system. Prime targets will also be hacked versions of games - these move quite quickly as pirates spread them across systems. Our best defense is to be smart - try not to use hard drives for downloaded or other high risk programs. Keep your hard drives off as much as possible. Make and keep several layers of backups. Test run new versions of programs and utilities many times before making them an integral part of your system. Be suspicious of free utilities - GS users watch out for CDA's and NDA's - GS users are the fastest growing group of hard drive users and these new big drives are fat targets. What viruses are out there???? I have heard of two programs that appear to be viruses - I AM NOT POSITIVE OF THIS - I MAY BE WRONG WITH THESE PROGRAMS AND VERSIONS BUT I AM GOING ON GOOD ADVISE FROM SOME VERY SOUND PEOPLE. I BELIEVE THIS TO BE TRUE - YOU ARE FREE TO DO AS YOU PLEASE. COPY II PLUS VERSION 8.5 - THE LAST PROPER VERSION I HAVE HEARD OF IS VERSION 8.2. VERSION 8.5 IS SUSPECT UNTIL I HEAR OTHERWISE. EPBH 1.5EX - I JUST HEARD THAT A FRIEND OF MINE LOST A FULL 20 MEG SIDER DRIVE. BE CAREFUL, PLEASE. It is going to be things like these - common utilities that will be the infected programs because everyone wants the latest versions and everyone assumes that the latest versions are from the factory. Just as an aside - the Department of Defense is spearheading development of ways to detect, prevent, and limit the spread and damage of viruses. It appears that many databases - insurance companies, banks, stockmarkets, even the IRS, have been tampered with. This is being viewed as an issue of national security. There are several companies that have sprung up to aid industry in protecting their systems - training all levels of management and production in the do's and don'ts of computer saftey. Thank you for your attention and good luck ---------------------------------------------------------------------- PERSONAL STORY Perhaps some of you have read and/or heard about a 'virus' that can 'infect' your computer. Well, it happened to me, and to say it was tragic is an understatement. In my case I lost around 20,000,000 bytes of data. For those unfamiliar with the term 'virus', it can be likened to the medical term. Someone with a very cruel sense of humor incorporates some hidden code into a program. Once this program is run, Pandora's box (so to speak) is open. The disease starts to spread and eventually all you data is destroyed. This is not a gradual process, but rather at some time after the program is run (normally days or weeks) a message appears informing you of your fate. At that point, an examination of your catalog shows it to be empty. Different code is needed for each computer (obviously) but the results are uniformly disastrous. In my case it happened on my ][GS (I'm sure this same thing would have happened on any Apple ][). At the time I had a 20 meg. SIDER, battery backed-up ROM, and a disk in a 3.5" drive. All were wiped clean. One might ask, how can this be prevented. That is the backed-up ROM, and a disk in a 3.5" drive. All were wiped clean. One might ask, how can this be prevented. That is the $64,000 question, as even certain Pentagon computers have been 'infected' and the government is currently investigating. The most likely method for so infecting your computer is via the modem. When one downloads a program from an on-line service or BBS, they are allowing this code to be brought into their computer. The virus may also be passed unwittingly between computer owners who share these programs. Again I will speak of my own case (as that is what I am most familiar with <unfortunately>). Although I have heard rumors that a bogus copy of CENTRAL POINT's COPY ][+ 8.5 had the virus, I am unsure (at this point) how it started. A day or so prior, I did notice that my drives were polled more often, and although I thought this strange, I attributed it to a new version of PROSEL I was using. I do not know for a fact, but I believe that BASIC.SYSTEM was a carrier of this virus. Several times upon using it, the results were less than normal (but again nothing to be that suspicious about). Quite fortunately I was able to recover most of my data via MR.FIXIT (3.2) and backed-up files. I hope that this does not happen to any of you. As I know of no real way of preventing the 'spread' of this 'virus', my only suggestion would be to place fresh copies of BASIC.SYSTEM all over, as soon as you are suspicious that you too may be diseased. If anyone has ANY thoughts, comments, or other input, they would be most appreciated. << Peter J. Paul >> ------------------------------------------------------------------------ A moral of this story: If he had gotten his Copy II+ from Central Point the way he was supposed to, he wouldn't have had the problem. - MAS --------------------------------------------------------------------- And, here's more... From ->STEVE GRISWOLD (#123) <Bit Bucket BBS (203) 569-8739> Date ->03/18/88 01:03:00 AM Dateline: 3-16-88 The Hartford Courant Headline: Computer virus hits retail software A computer virus has infected a commercially available personal computer product for what is believed to be the first time, calling into question the safety and reliability of software sold in retail stores. The development, discovered in software available from a major software company, has led one software company to change the way it makes software and is likely to force other companies to do the same. Computer viruses are mischievous programs that are created by computer hackers as practical jokes or acts of vandalism. They can be spread inadvertantly, infecting other software. Although the virus discovered last week in FreeHand, a Macintosh design program from Aldus Corp of Seattle, was a harmless 'message of peace', a more destructive virus could have wiped out expensive computer data or years of work. And it's possible that software produced by companies such as Lotus Delevopment Corp., Apple Computer Inc. and Ashton-Tate may be infected by the virus. The viruses are secretly inserted into computer programs, attach them-selves to disks they come into contact with and then pop up unexpectedly with a message or to erase computer information. Until this incident, personal computer viruses were thought to be hidden only on non-commercial software - programs available for free or minimal cost, often distributed on computerized bulletin boards - or on software disks shared by computer users to swap programs. Computer experts had said viruses could be avoided if users didn't use freely distributed software and used only off-the-shelf programs. But the infection of the Aldus software shows that isn't the case. The 'messsage of peace' virus which originated at a Canadian publication called MacMag, was a short message designed to pop up on Apple Macintosh computers. It was distributed by many bulletin boards in a program that purported to be a new listing of products mad by Apple. The virus was inadvertantly passed to Aldus by Marc Canter, president of MacroMind Inc. of Chicago, which makes training disks for Aldus. --------------------- Disclaimer: I like my opinions better than my employer's anyway... (subject to change without notice; void where prohibited) ARPA: sewall%uconnvm.bitnet@mitvma.mit.edu Murphy A. Sewall BITNET: SEWALL@UCONNVM School of Business Admin. UUCP: ...ihnp4!psuvax1!UCONNVM.BITNET!SEWALL University of Connecticut
abc@BRL.ARPA (Brint Cooper) (03/24/88)
While we wait for the smart people to produce the "vaccines" that will protect us from these viruses, the infections march on. The only truly safe (where have I heard that word recently?) way to get things from BBSs without catching the virus is NEVER, NEVER, download and execute binaries. If you can't get the source and compile/assemble it yourself so that you can examine it, search for strings that represent vulnerable addresses, examine every hard disk write command, etc, then don't run the program! Personally, I think that comp.sys.binaries is a very bad idea for just this reason. Sharing source code is one thing; sharing object code is another. _Brint