dwl10@uts.amdahl.com (Dave Lowrey) (08/11/89)
I saw this on a local BBS.
Anyone have any info in this????
===============================================================
Does anyone know anything about the Xeno virus? IS there any programs
out there that will detect or kill it? 69th Street BBS is down do to
this fiendish bug that writes to any program which is run or executed.
It spreads through the hard drives and looks for FastFileSystem. With
TxEd you can look at programs and see the words "Greetings Amiga users
from the Xeno virus!" It also writes 1124 bytes to each program that is
run. Other than that, I don't know anything about it like how it spreads
and how to rid the universe of it! VirusX3.2, kv, NoVirus1.54 does not
detect it. Any help would be appreciated!
---
============================================================
--
"What is another word | Dave Lowrey | [The opinions expressed MAY be
for 'Thesaurus'?" | Amdahl Corp. | those of the author and are not
| Houston, Texas | necessarily those of his
Steven Wright | amdahl!dwl10 | employer] (`nuff said!)
hubey@pilot.njin.net (Hubey) (08/11/89)
In article <21fB02Wm49np01@amdahl.uts.amdahl.com> dwl10@uts.amdahl.com (Dave Lowrey) writes: > Does anyone know anything about the Xeno virus? IS there any programs > out there that will detect or kill it? 69th Street BBS is down do to > this fiendish bug that writes to any program which is run or executed. > It spreads through the hard drives and looks for FastFileSystem. With > TxEd you can look at programs and see the words "Greetings Amiga users > from the Xeno virus!" It also writes 1124 bytes to each program that is > run. Other than that, I don't know anything about it like how it spreads > and how to rid the universe of it! VirusX3.2, kv, NoVirus1.54 does not > detect it. Any help would be appreciated! How about a regular program of testing and inoculation. ?? I have thought about this for a while (not the Xeno but viruses in general) and wondered what would happen if CA (or any other interested third party) wrote a CRC program which would contain --internally--a table of CRC values for the most commonly run programs i.e. commands and utilities. This program could be periodically run (or whenever a virus was suspected) and would point out potentially corrupt programs i.e. those whose CRC did not check out! I realize (at least some of) the pitfalls :-).. It might take a long time to check out all the commands and utilities. It would also require that before the user did anything, he would have to run this program. And of course there is always the possibility that the virus would infect this program. However, if the user diligently checked out every PD software first --This would necessitate that the writers would have to provide CRC's for their programs--it might be more difficult for viruses (or is it virii :-) ) to spread. I am sorry that this is still a half-baked idea but I think that some of the techniques which have proven their value in computer communications might eventually make their way into OS design. Who knows , if it turns out to be very useful, CRC fields might even be provided on files. I am not sure how one would go about getting the CRC for a file+CRC into the file without first knowing the CRC ?? Nice problem ??--The chicken-or-egg problem of Comp Sci ?? :-). If it were possible to solve this problem only via brute force computing, then it would necessarily take out of action many would be virus-generators. However if there is a neat trick, then all is lost. At this point it seems that if the CRC were 32 bits, trial and error would necessitate approximately 10^10 tries ( ~ 2^32). I am not aware of any use of checking of data more advanced than simple parity checking in computer architecture. If I recall correctly, parity checking (on the bus) is not even done on the Amiga . (I am not trying to say that it should be done. It probably is not necessary). In the last issue of IEEE Spectrum, there is(are) (an) article(s) on Computer Security--p. 22.. The gist of the article is that very often, very simple precautions are all that is necessary to keep intruders out. From p. 24; "Some believe that only a few safeguards will do the trick. 'I can't think of a single instance when a hacker penetrated a system that had modest protection', said Courtney. He defines modest protection as denial of acess after three unsuccesful attempts, and on dial-up lines, placement of the access barrier in front of the modem instead of behind it....." etc etc I wonder if some 'modest protection' of this type can be added to Operating Systems ???? mark -- hubey@OSultrix.montclair.edu hubey@pilot.njin.net hubey@apollo.montclair.edu VOICE: 201-893-5269 ...!rutgers!njin!hubey
ain@mentor.cc.purdue.edu (Pat-bob White) (08/12/89)
In article <Aug.10.18.58.47.1989.22364@pilot.njin.net> hubey@pilot.njin.net (Hubey) writes: >I have thought about this for a while (not the Xeno but viruses in >general) and wondered what would happen if CA (or any other interested >third party) wrote a CRC program which would contain --internally--a >table of CRC values for the most commonly run programs i.e. commands >and utilities. This program could be periodically run (or whenever a >virus was suspected) and would point out potentially corrupt programs >i.e. those whose CRC did not check out! Anyone could write a program to do that now -- if they didn't publish their CRC calculation method, then things would be safer till some virus writer found it out. Once that happened, there would be many people relying on that program to keep them safe.. making it actually easier for a virus to spread. >I am not sure how one would go about getting the >CRC for a file+CRC into the file without first knowing the CRC ?? Don't try to include the CRC in the text the CRC is calculated on.. either that or calculate a CRC for every possible CRC.. and hope two of them match :-) >I wonder if some 'modest protection' of this type can be added to >Operating Systems ???? Sounds like you want a login? Pat White ARPA/UUCP: j.cc.purdue.edu!ain BITNET: PATWHITE@PURCCVM PHONE: (317) 743-8421 U.S. Mail: 320 Brown St. apt. 406, West Lafayette, IN 47906 Life is a joke.. so laugh at it :-)
jwright@atanasoff.cs.iastate.edu (Jim Wright) (08/13/89)
In article <3633@mentor.cc.purdue.edu> ain@mentor.cc.purdue.edu (Pat-bob White) writes: | In article <Aug.10.18.58.47.1989.22364@pilot.njin.net> hubey@pilot.njin.net (Hubey) writes: | > [wonders about programs to check files' CRC values] | | Anyone could write a program to do that now -- if they didn't publish | their CRC calculation method, then things would be safer till some virus | writer found it out. Once that happened, there would be many people relying | on that program to keep them safe.. making it actually easier for a virus to | spread. There's a better way. Use two different polynomials to compute the CRC values. A single CRC check can be faked out by tweaking the bytes, but getting past two such checks would be much more difficult. Even if you distributed source code. -- Jim Wright jwright@atanasoff.cs.iastate.edu
mcp@ziebmef.mef.org (Marc Plumb) (08/22/89)
>| In article <Aug.10.18.58.47.1989.22364@pilot.njin.net> hubey@pilot.njin.net (Hubey) writes: >|> [wonders about programs to check files' CRC values] >In article <3633@mentor.cc.purdue.edu> ain@mentor.cc.purdue.edu (Pat-bob White) writes: >| Anyone could write a program to do that now -- if they didn't publish >| their CRC calculation method, then things would be safer till some virus >| writer found it out. Once that happened, there would be many people relying >| on that program to keep them safe.. making it actually easier for a virus to >| spread. In article <1332@atanasoff.cs.iastate.edu> jwright@atanasoff.cs.iastate.edu.UUCP (Jim Wright) writes: >There's a better way. Use two different polynomials to compute the CRC >values. A single CRC check can be faked out by tweaking the bytes, but >getting past two such checks would be much more difficult. Even if you >distributed source code. No, two different CRC polynomials works as well as the product of the two - which, having factors, is not as good as a well-chosen longer polynomial. Even a simple CRC would frustrate a lot of virus writers, who probably aren't too comfortable with polynomial division code, but you really want an unforgeable signature. If you can securely distribute the signature values, then you can use a one-way encryption algorithm similar to the Unix password algorithm, except much simpler, as no brute-force search of *any* size is practicable by a virus. If you want the programs to be self-validating, there is a "cryptographic checksum" algorithm available (there is a research system called Strongbox that uses it, developed at CMU I believe) which appends a checksum to a file which can be checked by anyone, but without a special key value (not needed for checking) you cannot compute a correct checksum for an arbitrary file. While the latter scheme is more convenient if you have a central point where software is certified safe that can keep the key, the Unix-password scheme is probably better for Amiga use. -- -Colin Plumb
mitchell@cbmvax.UUCP (Fred Mitchell - QA) (08/24/89)
In article <1989Aug21.151623.26054@ziebmef.mef.org> mcp@ziebmef.mef.org (Marc Plumb) writes: >one-way encryption algorithm similar to the Unix password algorithm, except >much simpler, as no brute-force search of *any* size is practicable by a >virus. If you want the programs to be self-validating, there is a >"cryptographic checksum" algorithm available (there is a research system >called Strongbox that uses it, developed at CMU I believe) which appends >a checksum to a file which can be checked by anyone, but without a special >key value (not needed for checking) you cannot compute a correct checksum >for an arbitrary file. >-- > -Colin Plumb There's a Public Key Encryption algorithm, which might be adaptable to do fool-proof 'checksummung'. I'll have to dig that article up- or I will create one myself, when I have time (Yeah, Uh-Huh!). It would be impossible to fool without copious amounts of cpu time and crypto-analytic skill. -- |*******************************************| -Compliments of /// |* All thoughts and comments are soley *| Fred Mitchell \\\/// |* thoses of The Author and has nothing to *| \XX/ |* do with Commodore-Amiga. *| Software QA - Commodore-Amiga |*******************************************|
pfaff@mercury.asd.contel.com (Ray Pfaff - Oakwood 457 934-8162) (08/26/89)
While the discussion concerning CRCs and such are interesting, has anybody but the original author of this thread encountered the virus, or is this another case of someone thinking that they have a new strain of virus when they really don't. - Ray Pfaff