SEWALL@UCONNVM.BITNET (03/24/88)
Please feel free to copy and upload this post to any and all systems
that you wish to but please leave in this credit:
Courtesy of the Apple Cider/Computer Corner BBS,
Queens, New York.
300-1200-2400 baud 24 hours,
DLX multiuser system,
official Apple and IBM users groups,
718-482-0089.
ATTENTION
We have a problem in the Apple computer family. Viruses have begun
to invade our programs.
A little history and background is in order - first, what is a
virus? A virus is a small program that is hidden inside any larger
program. A virus acts to create damage to the user's system - it might
do this by erasing the hard drive or by wiping out any data currently in
memory. A virus might lie dormant, hidden inside the parent program for
a great period of time but out any data currently in memory. A virus
might lie dormant, hidden inside the parent program for a great period
of time but all of a sudden it might come to life and crash your entire
system.
Where do viruses come from? Well, they come from a number of
places. The first place a virus starts is in the mind of a very
disturbed person, a person who wants to do nothing but wreak havoc among
many computer systems. This person sits down and writes a few lines of
computer program that does the necessary damage. He could modify the
virus so that it does not activate until a certain condition has been
met - a set number of copies of the master, a set number of operations
in a program, or even set the virus to become active on a certain date
or time. All of these things are easy to do, many other conditions might
be possible as well. Finally, when this condition is met, the virus
wakes up and does it's damage.
How is a virus spread? The most commonn way for a virus to spread is
for it to be tied into a program that is spread about a great deal.
Prime targets are Public Domain and Freeware programs that are easy to
upload and download from telecommunications services (Genie, The Source,
Compuserve) and private bulletin boards. Every time the infected program
is uploaded to another system, or copied and given to a friend, the
virus is spread. Remember, the virus is small and totally hidden - there
is no way to know that you are passing on the virus.
Just as an aside - if you think that this is a joke - think again.
The action of the computer virus is the same as a virus that infects
people - that's why it's called a virus. Just like the AIDS virus, and
the Hepatitis virus, you can pass it along without even knowing that you
have done so.
Why are viruses just entering into the Apple world? The computer
virus is not a new thing. There have been viruses around for IBM and IBM
compats for over a year. There is a simple reason for their spread into
the Apple world. One of the worst things that a virus could do is wipe
out a hard drive - on IBM and compats, if the system has a hard drive,
the hard drive is always connected and turned on - you can't operate the
computer without the hard drive. Therefore, the computer is always open
to attack - every time the computer is turned on, it's a sitting duck.
In the Apple II series of computers, all the hard drives are external
and can be turned off. An Apple II will run without it's hard drive,
it's not a sitting duck all of the time - our first line of defense.
The growth of the Apple IIgs, will lead to an increase in the number of
large (20,40 and 60 meg) hard drives that people will use these large
drives are an inviting target to these virus writers and I am sure that
plenty of shots will be fired. For the Mac series, several models have
internal hard drives - these are just as open to attack as the IBM
systems. As more and more of these systems are put into use, the number
of targets will increase as will virus activity.
How do we protect ourself and our systems? There are several
things that we can do to try and limit the spread and damage of the
viruses.
1) If you are in the habit of downloading software from
telecommunications boards - keep all hard drives turned off during the
download process. I MEAN POWER OFF, NOTHING SPINNING - A WELL WRITTEN
VIRUS CAN BREAK THROUGH MANY THINGS - THE ONLY SURE PROTECTION IS TURN
IT OFF. Download into RAM disks and transfer to 3.5 or 5.25 floppy or
download right to floppys.
2) Once you have the program on a floppy disk, I suggest that you
run it from a floppy several times before letting any hard drives come
on -line. If the virus is tied into a set number of boot-ups, you might
save your self in this way. Also, exit the program through the proper
channels - a virus counter could be tied into the quit routines as
easily as the boot routines.
3) Backups - there is a possible problem with backups. If the virus
is the type that lies dormant for a long period of time, it might wait
until the backups are infected before becoming active. Then you go to
your backups and everything seems fine but the virus is there, embedded
somewhere deep in the backup disks and sure enough, it will wake up when
it's conditions are met and will cause it's damage. One possible answer
is to make frequent backups and keep the old ones - don't use the same
disks over and over. An example: let's assume that you back up your
system twice each week. If you were to save backups for 4 weeks then you
would have 8 sets of backups to fall back on. I admit that the further
back you go, the older the data is but having to recreate 2 or 3 weeks
of data would be better than recreating an entire database or financial
record. The more backups you have to fall back on, the better off you
might be if the virus strikes. Also, if you can separate volumes on your
hard drive - place programs separate from data. When you backup your
system, there will be separate backups sets for each hard drive volume -
if the virus is hidden in the programs, your recent data backups might
be spared. Don't assume that this is the great cure - a creative virus
writer can put tags into data files that are written with the infected
program and cause the data to crash as well. This is just a thought that
might help.
4) Protect business data carefully - if you use your computer for
both your business and pleasure try not to mix the two areas. Keep
business data on a separate hard drive and only use it with proven,
safe, properly obtained programs. Let's get right down to it - let the
business buy it's own system and keep it separate from the home - a
business expense is deductible through the business anyway. If you lose
the business database because you wanted to try out that new program
that your friend just gave you, won't you feel foolish or even loose
your job??? Keep business and pleasure separated.
5) Be careful of what you download - a virus could be hidden in
anything. Possible targets are:
CDA's, NDA's, and fonts for the Apple IIgs
New versions of popular programs and utilities - the only new
thing if the virus that the hacker has added and the change he made to
the version number.
Picture files, song and voice files and other 'execable' files.
These are files that you 'run' and they show you a picture or play a
song while they implant themselves into or destroy your system.
Remember that the virus writer is a very smart person. They have
advanced knowledge of machine language programming, disk operating
systems, data manipulation, and a knowledge of where to hide the virus
to do the most damage. The virus will pe placed in the programs that
will spread the fastest across the country and from BBS system to BBS
system. Prime targets will also be hacked versions of games - these move
quite quickly as pirates spread them across systems.
Our best defense is to be smart - try not to use hard drives for
downloaded or other high risk programs. Keep your hard drives off as
much as possible. Make and keep several layers of backups. Test run new
versions of programs and utilities many times before making them an
integral part of your system. Be suspicious of free utilities - GS users
watch out for CDA's and NDA's - GS users are the fastest growing group
of hard drive users and these new big drives are fat targets.
What viruses are out there???? I have heard of two programs that
appear to be viruses - I AM NOT POSITIVE OF THIS - I MAY BE WRONG WITH
THESE PROGRAMS AND VERSIONS BUT I AM GOING ON GOOD ADVISE FROM SOME VERY
SOUND PEOPLE. I BELIEVE THIS TO BE TRUE - YOU ARE FREE TO DO AS YOU
PLEASE.
COPY II PLUS VERSION 8.5 - THE LAST PROPER VERSION I HAVE HEARD OF
IS VERSION 8.2. VERSION 8.5 IS SUSPECT UNTIL I HEAR OTHERWISE.
EPBH 1.5EX - I JUST HEARD THAT A FRIEND OF MINE LOST A FULL 20 MEG
SIDER DRIVE. BE CAREFUL, PLEASE.
It is going to be things like these - common utilities that
will be the infected programs because everyone wants the latest versions
and everyone assumes that the latest versions are from the factory.
Just as an aside - the Department of Defense is spearheading
development of ways to detect, prevent, and limit the spread and damage
of viruses. It appears that many databases - insurance companies, banks,
stockmarkets, even the IRS, have been tampered with. This is being
viewed as an issue of national security. There are several companies
that have sprung up to aid industry in protecting their systems -
training all levels of management and production in the do's and don'ts
of computer saftey.
Thank you for your attention and good luck
----------------------------------------------------------------------
PERSONAL STORY
Perhaps some of you have read and/or heard about a 'virus' that
can 'infect' your computer. Well, it happened to me, and to say it was
tragic is an understatement. In my case I lost around 20,000,000 bytes
of data.
For those unfamiliar with the term 'virus', it can be likened to
the medical term. Someone with a very cruel sense of humor incorporates
some hidden code into a program. Once this program is run, Pandora's
box (so to speak) is open. The disease starts to spread and eventually
all you data is destroyed. This is not a gradual process, but rather at
some time after the program is run (normally days or weeks) a message
appears informing you of your fate. At that point, an examination of
your catalog shows it to be empty.
Different code is needed for each computer (obviously) but the
results are uniformly disastrous. In my case it happened on my ][GS
(I'm sure this same thing would have happened on any Apple ][). At the
time I had a 20 meg. SIDER, battery backed-up ROM, and a disk in a 3.5"
drive. All were wiped clean. One might ask, how can this be
prevented. That is the backed-up ROM, and a disk in a 3.5" drive. All
were wiped clean. One might ask, how can this be prevented. That is
the $64,000 question, as even certain Pentagon computers have been
'infected' and the government is currently investigating. The most
likely method for so infecting your computer is via the modem. When one
downloads a program from an on-line service or BBS, they are allowing
this code to be brought into their computer. The virus may also be
passed unwittingly between computer owners who share these programs.
Again I will speak of my own case (as that is what I am most
familiar with <unfortunately>). Although I have heard rumors that a
bogus copy of CENTRAL POINT's COPY ][+ 8.5 had the virus, I am unsure
(at this point) how it started. A day or so prior, I did notice that my
drives were polled more often, and although I thought this strange, I
attributed it to a new version of PROSEL I was using. I do not know for
a fact, but I believe that BASIC.SYSTEM was a carrier of this virus.
Several times upon using it, the results were less than normal (but
again nothing to be that suspicious about).
Quite fortunately I was able to recover most of my data via
MR.FIXIT (3.2) and backed-up files. I hope that this does not happen to
any of you. As I know of no real way of preventing the 'spread' of this
'virus', my only suggestion would be to place fresh copies of
BASIC.SYSTEM all over, as soon as you are suspicious that you too may be
diseased. If anyone has ANY thoughts, comments, or other input, they
would be most appreciated.
<< Peter J. Paul >>
------------------------------------------------------------------------
A moral of this story: If he had gotten his Copy II+ from Central Point
the way he was supposed to, he wouldn't have had the problem. - MAS
---------------------------------------------------------------------
And, here's more...
From ->STEVE GRISWOLD (#123) <Bit Bucket BBS (203) 569-8739>
Date ->03/18/88 01:03:00 AM
Dateline: 3-16-88 The Hartford Courant
Headline: Computer virus hits retail software
A computer virus has infected a commercially available personal
computer product for what is believed to be the first time, calling
into question the safety and reliability of software sold in retail
stores. The development, discovered in software available from a
major software company, has led one software company to change the way
it makes software and is likely to force other companies to do the
same.
Computer viruses are mischievous programs that are created by computer
hackers as practical jokes or acts of vandalism. They can be spread
inadvertantly, infecting other software. Although the virus
discovered last week in FreeHand, a Macintosh design program from
Aldus Corp of Seattle, was a harmless 'message of peace', a more
destructive virus could have wiped out expensive computer data or
years of work. And it's possible that software produced by companies
such as Lotus Delevopment Corp., Apple Computer Inc. and Ashton-Tate
may be infected by the virus.
The viruses are secretly inserted into computer programs, attach
them-selves to disks they come into contact with and then pop up
unexpectedly with a message or to erase computer information. Until
this incident, personal computer viruses were thought to be hidden
only on non-commercial software - programs available for free or
minimal cost, often distributed on computerized bulletin boards - or
on software disks shared by computer users to swap programs.
Computer experts had said viruses could be avoided if users didn't use
freely distributed software and used only off-the-shelf programs. But
the infection of the Aldus software shows that isn't the case. The
'messsage of peace' virus which originated at a Canadian publication
called MacMag, was a short message designed to pop up on Apple
Macintosh computers. It was distributed by many bulletin boards in a
program that purported to be a new listing of products mad by Apple.
The virus was inadvertantly passed to Aldus by Marc Canter, president
of MacroMind Inc. of Chicago, which makes training disks for Aldus.
---------------------
Disclaimer: I like my opinions better than my employer's anyway...
(subject to change without notice; void where prohibited)
ARPA: sewall%uconnvm.bitnet@mitvma.mit.edu Murphy A. Sewall
BITNET: SEWALL@UCONNVM School of Business Admin.
UUCP: ...ihnp4!psuvax1!UCONNVM.BITNET!SEWALL University of Connecticutabc@BRL.ARPA (Brint Cooper) (03/24/88)
While we wait for the smart people to produce the "vaccines" that will protect us from these viruses, the infections march on. The only truly safe (where have I heard that word recently?) way to get things from BBSs without catching the virus is NEVER, NEVER, download and execute binaries. If you can't get the source and compile/assemble it yourself so that you can examine it, search for strings that represent vulnerable addresses, examine every hard disk write command, etc, then don't run the program! Personally, I think that comp.sys.binaries is a very bad idea for just this reason. Sharing source code is one thing; sharing object code is another. _Brint