davidf@cs.hw.ac.uk (David.J.Ferbrache) (02/14/89)
This request for information has been cross-posted to the appopriate machine
groups in the comp.sys hierarchy, to comp.risks and to the virus-l mail
list. My apologies to those of you who receive duplicate copies of this item.
Responses by email please, I will summarise any relevant information which
is not of a sensitive nature for posting to the machine group.
-------------------------------------------------------------
A review of the threat posed to the security and integrity of
microcomputer systems posed by self-replicating code segments
-------------------------------------------------------------
I am in the process of compiling information on existing computer viruses,
with a view to the production of a technical paper reviewing the threat
to system security posed by both present computer viruses and likely
future developments.
To this end I would be very grateful for information on individual
infections, preferably detailing the symptoms observed, damage caused and
disinfection techniques applied. Naturally I am also interested in details
of the operation of the viruses, although I appreciate the reticence shown
by infected parties to disseminate any details of virus operation, on the
basis that it could lead to development of further viruses.
The technical report is part of a Doctoral research thesis in computer
security, and will be available in late May. Distribution of the technical
report will be restricted to people who have a legitimate interest
(ie systems managers, commercial concerns, research), as I expect to
review the techniques exploited by viruses in a fair degree of detail at
the BIOS/DOS interface level. The report will consider the techniques used by
virus to duplicate, the ways in which viruses gain control of the computer
system, the camouflage techniques adopted and a brief overview of the
existing computer viruses. Finally the report will consider the likely
development of the threat from viruses, and how this developing threat
can be addressed by protective software in both virtual and non-virtual
machine operating environments.
At the moment I know of the following viruses:
IBM PC MS/DOS
1. Lehigh variant 1 and 2 2. New Zealand (stoned)
3. Vienna (Austrian, 648) 4. Blackjack (1701, 1704)
5. Italian (Ping Pong) 6. Israeli variant 1 (Friday 13th, 1813,
PLO, Jerusalem), variant 2, variant 3
(April 1st), variant 4
7. Brain (Pakastani) and variants 8. Yale
Also potentially variant of the Rush Hour and VirDem viruses developed
during the CCC's work on viruses.
APPLE MAC
1. NVir variant A and B, Hpat 2. Scores
3. INIT 29 4. ANTI
5. Peace (MacMag)
APPLE II
1. Elk
AMIGA
1. SCA 2. Byte Bandit
3. IRQ
ATARI ST
1. Boot sector 2. Virus construction set viruses
Mainframe OS worms
1. Internet worm 2. DECNET worm
2. BITNET Xmas chain letter
I would be grateful for any information on these, or any other viruses.
Reports of infection may be given in confidence, in which case they will
only be used as an indication of geographical distribution of infection.
A summary of known viruses, their symptoms, geographic distribution and
known disinfection measures will be posted to the list as soon as
sufficient information is available to prepare an interim report.
As part of the paper I will also be reviewing the effectiveness of viral
disinfection software, and would thus be interested in details of any
software you use, its effectiveness, and availability.
Thanks for your time!
For those interested here is a summary of a few of the virus reports published
on virus-l and usenet,
Subject, author and date Virus Virus-l issue
THE AMIGA VIRUS - Bill Koester (CATS) SCA LOG8805
comp.sys.amiga, 13 November 1987
New Year's Virus Report - George Robbins IRQ
1 January 1989, comp.sys.amiga
The Elk Cloner V2.0 - Phil Goetz ELK
26 Apr 1988
THE ATARI ST VIRUS - Chris Allen ATARI ST
22 March 1988, comp.sys.atari
Features of Blackjack Virus, Otto Stolz BLACKJACK v2.24
24 Jan 1989
Comments on the "(c) Brain" Virus BRAIN LOG8805
Joseph Sieczkowski, Apr 1988
Brain and the boot sequence, Dimitri Vulis BRAIN v2.5
5 Jan 1989
The Israeli viruses, Y.Radai ISRAELI LOG8805
2 May 1988
VIRUS WARNING: Lehigh virus version II LEHIGH v2 v2.35
Ken van Wyk, 3 Feb 1989
The Ping-Pong virus, Y.Radai ITALIAN v2.18
17 Jan 1989
Known PC Viruses in the UK and their effects MOST PC v2.23
Alan Solomon, 1989
Yale Virus Info, Chris Bracy, YALE LOG8809a
2 Sep 1988
New Macintosh Virus, Robert Hammen ANTI v2.39
comp.sys.mac, 7 Feb 1989
Hpat virus-it is a slightly modified nVIR HPAT
Alexis Rosen, comp.sys.mac, 7 Jan 1989
INIT 29: a brief description, INIT 29 v2.18
Joel Levin, 18 Jan 1989
A detailed description of the INIT 29 virus INIT 29 v2.30
Thomas Bond, 27 Jan 1989
The Scores Virus, John Norstad SCORES LOG8804
info-mac digest, 23 Apr 1988
Macintosh infection at Seale-Hayne College TSUNAMI LOG8808d
Adrian Vranch, 8 July 1988
DEFENCE DATA NETWORK MANAGEMENT BULLETIN, DECNET (see also v1.59a)
50, 23 Dec 1988,
The internet worm program, an analysis INTERNET
Gene Spafford, Nov 1988
I apologise for any researchers whose articles I have not cited, in what is
currently an incomplete list of references. Hopefully, this article
will be of some use in providing a general list of viruses which have
affected computer systems in the past.
Thanks for your time, and I look forward to any information you can
supply me with.
-------------------------------------------------------------------------------
Ps. for those of you interested in viruses their exists a BITNET special
interest mailing list, <virus-l@lehiibm1.bitnet>, requests to join
should be in the form of a message to <listserv@lehiibm1.bitnet>
of the form:
SUB VIRUS-L
There is also a virus alert list for postings of discoveries and limited
follow up information regarding new viruses, to join send
SUB VALERT-L
Finally, readers in the UK should send their requests to Heriot-Watt
University's redistribution point at <virus-l-request@cs.hw.ac.uk>.
I have a vested interest in the UK sublist as I am currently
administrator. There are also a number of servers providing viral
disinfection software, including:
<listserv@scfvm.bitnet> (Mac software)
<listserv@lehiibm1.bitnet> (Virus-l backissues and IBM software)
<info-server@cs.hw.ac.uk> (UK archives, and virus-l backissues)
and the TROJAN-PRO entry on the RPICICGE server and associated
TRICKLE servers for IBMs.
-------------------------------------------------------------------------------
Dave Ferbrache Personal mail to:
Dept of computer science Internet <davidf@cs.hw.ac.uk>
Heriot-Watt University Janet <davidf@uk.ac.hw.cs>
79 Grassmarket UUCP ..!mcvax!hwcs!davidf
Edinburgh, Scotland Tel: (UK) 31-25-6465 ext 553
-------------------------------------------------------------------------------jwright@atanasoff.cs.iastate.edu (Jim Wright) (02/18/89)
[ The original distribution for this message is inappropriate for ] [ conducting a discussion. Unfortunately comp.security, comp.virus, ] [ etc. do not exist. Comp.risks is moderated. The best I could ] [ find is comp.misc. Please direct replies there. (Is someplace ] [ better?) ] In article <409@odin.cs.hw.ac.uk> davidf@cs.hw.ac.uk (David.J.Ferbrache) writes: }Responses by email please, I will summarise any relevant information which }is not of a sensitive nature for posting to the machine group. ^^^^^^^^^^^^^^^^^^^^^^^^^ [...] }[...] although I appreciate the reticence shown }by infected parties to disseminate any details of virus operation, on the }basis that it could lead to development of further viruses. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] }The technical report is part of a Doctoral research thesis in computer }security, and will be available in late May. Distribution of the technical ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ }report will be restricted to people who have a legitimate interest ^^^^^^^^^^^^^^^^^^^^^^^^^ }(ie systems managers, commercial concerns, research), as I expect to }review the techniques exploited by viruses in a fair degree of detail at }the BIOS/DOS interface level. [...] }------------------------------------------------------------------------------- }Dave Ferbrache Personal mail to: }Dept of computer science Internet <davidf@cs.hw.ac.uk> }Heriot-Watt University Janet <davidf@uk.ac.hw.cs> }79 Grassmarket UUCP ..!mcvax!hwcs!davidf }Edinburgh, Scotland Tel: (UK) 31-25-6465 ext 553 }------------------------------------------------------------------------------- Is no one else offended by this? The key to exterminating these bugs, worms, viruses, whatever, lies not in hiding the facts. The answer is knowledge. Even the US government has realized that secrecy is by no means equivalent to security. Witness the NBS's DES (National Bureau of Standards' Data Encryption Standard). The essence of its security lies not in the fact that the encoding scheme is some (hard-to-maintain) secret, but rather in the fact that a clever way has been found to take advantage of what is today a known computationally "difficult" problem. How can anyone expect to ever surmount these difficulties by hiding them? And this from an academic institution! I dread to think just how wide-spread this plague would be if everyone tried to hush it up. Regardless of how well-intentioned the author may be, I am appalled at his methods. If the computing community ever hopes to deal effectively with this problem, we must first understand it. Mr. Ferbrache, perhaps you have already been through this discussion within your own group. If so, could you tell us why you chose to make this project secretive? I don't consider "knowledge is dangerous" a suitable reason. -- Jim Wright jwright@atanasoff.cs.iastate.edu
nor1675@dsacg2.UUCP (Michael Figg) (02/24/89)
As I was reading this posting requesting information on virus, my cubicle mate passed me an interesting article on the subject. It doesn't get much into Amiga viri (sp?) but says alot about the PC and MAC. Article is "The Virus Cure" Datamation -February 15, 1989. Also saw an add for conference on viruses in Chicago, May 1-4, 1989, Hyatt Regency O'Hare 1-508-393-2600. -- "Better graphics with crayons" Michael Figg Have since switched to oil based paints DLA Systems Automation Center but find they really screw up the color Columbus, Oh. map and pens! (614)-238-9036