papa@pollux.usc.edu (Marco Papa) (01/04/88)
I'd like to add my token to the "virus discussion". One thing that struck me is the statement that software pirates are the one that will get hit the most. I you think just a bit you'll see that indeed being a "software pirate" will increase your chances of getting the virus :-) The reason is simple, the virus works only when installed on bootable disks. Which disks are bootable? Workbench, commercial software that includes Workbench and bootable games (which do NOT use Workbench). Fish Disks and AMICUS disks are much less prone to problems, since they are not bootable. Even if a virus copied itself on it, it would not become active, since you cannot boot te disk. A Fish disk could become active ONLY if you had ISTALLED it and then the virus had copied itself onto it. A perpetrator could have just done this, and then distribute the disk at the monthly Amiga User Group Meeting. What can you do? Just use the DOS COPY command instead of DISKCOPY: COPY df0: to df1: ALL and then reformat the original. The COPY command will only copy files and not the boot block. I have been getting Fred's disks for two years now and had absolutely no problem. I ALWAYS got them directly from him, never from a User's Group. About Workbench. Somebody pointed out that it should be good practice to ALWAYS boot with the SAME Workbench disk, a direct copy of Commodore's Workbench. This is definitely good advice. While lots of companies (including Felsina Software) include Workbench on the disk, I have NEVER booted with their Workbench, always with mine. The fact that I also own a rather small number of commercial software (MANX C, Lattice C, PowerWindows, Deluxe Paint II, Maxiplai Plus and all my competitors), helps to keep things under control. About pirating software. As I said, this will increase your chances of getting the virus, especially copy protected software. Marauder and Mirror will try to make an EXACT copy of the original, which will include the virus if the disk is infected. Non-copy protected programs are less prone to this, since they can be copied with the DOS COPY command. I am also especially suspicious of BINARY-ONLY programs, which include (unfortunately) a whole lot of SHAREWARE/FREEWARE programs. These can be found on BBSs, comp.binaries.amiga and the Fish and AMICUS disks. A bad guy, could very easily add the virus install code at the end of a legal shareware program, and put a jump to it before executing the original program. This has become an almost "standard" way to install viruses. For this reason, I throw away stuff from comp.binaries.amiga. I will only use my OWN compiled version from comp.sources.amiga. Again, I am playing safe. I understand that Fred compiles himself most of the sources he gets. When I do use a binary-only from the Fish disks, I make sure that all my disks have write protect tabs on them, and shut off the machine afterwards. Again, this limits the programs that I can run, but that's life in the fast lane of viruses :-) Playing it safe, has paid off for me. I have NO viruses in over 500 disks that my company owns (all checked out fine). Another thing that has to be clarified is that viruses are no new thing and definitely not limited to the Amiga. In fact, I was surprised that it took THEM over two years to get one on it. It took much less on the IBM or Mac worlds. People get PhDs on viruses. Fred Cohen got one at USC over 3 years ago. I installed a variety of viruses as part of a graduate course on computer security at USC over 4 years ago. One was a spoofing program that would simulate a UNIX login prompt, and would be left running on a shared terminal, for the casual user to log on and get his password. Another one was to let everybody know of a wonderful new program that would "improve" the UNIX "ls" command by copying his shell (with his protections) in my own area, so I could execute it and gain his protections. Bill Landreth (the guy was found recently, he's not dead), used a similar scheme when he gained access to almost all of ARPAnet a few years back. His book (I forget the title, the publisher is Microsoft Press) is good reading for anybody interested in the subject. Viruses for the IBM PC have usually consisted of modified shareware programs that were "improved" by the virus code. One nasty one was a modified version of the ARC program that would erase all the files on a hard disk. It became a nightmare for BBS sysops. The idea that the the Amiga is flawed because it permits this is pure bull*?%#. One could do it on ANY currently available micro/mini/mainframe. If you just didn't know, IBM's VNET worldwide network was put to a halt for almost two weeks just before Christmas, when a "virus Christmas card" was sent out over it. The virus would spread by remailing itself to everybody in your VNET mailing lists, generating "billions and billions" of messages. I believe the net totally crashed at least twice and more at various locations. The perpetrator was never found, and worse of all there seem to be no quick answer/change that will avoid this in the near future. Until more secure systems are developed, viruses are here to stay. Protect yourself by being a little more careful with what you run. The idea that Jim Sachs lost a year's work because his few backups were also infected, while makes me feel sad about it, also tells me that he definitely was not that careful. Why did he take the write protect tab off the backups? That's definitely a NO-NO. Why did he have so FEW backups? I have 1 year worth of backups, one set every two weeks and routinely take them to my bank safe (LA is earthquake land, and who knows when the big one will hit). Happy New Year! -- Marco Papa Felsina Software
rsk@s.cc.purdue.edu (Frozen Wombat) (01/04/88)
In article <5996@oberon.USC.EDU> papa@pollux.usc.edu () writes: >I installed a variety of viruses as part of a graduate course on computer >security at USC over 4 years ago. One was a spoofing program that would >simulate a UNIX login prompt, and would be left running on a shared terminal, >for the casual user to log on and get his password. Another one was to let >everybody know of a wonderful new program that would "improve" the UNIX "ls" >command by copying his shell (with his protections) in my own area... Neither of these is a virus in the traditional sense of a self-replicating program which propagates itself in the manner of an organic virus. The former is a simple spoof which (unless it did more than is claimed here) simply masquerades as another program at the user interface level; the latter was simply an exploitation of the path-dependent execution inherent in the Unix shell. I am surprised, however, that routine coursework involved breaking the security of individual users' accounts. Our SOP for dealing with such individuals is to revoke their account and refer them to the Dean of Students; if evidence exists that they used their access to a user's account to read private files, then they're probably in violation of the Federal Privacy Act. One of the classic papers on viruses is the one by Shoch (of Xerox PARC) in the CACM a few years back; I can give a more precise reference if anyone is interested. >IBM's VNET worldwide network was put to a halt for almost two >weeks just before Christmas, when a "virus Christmas card" was sent out over >it. The virus would spread by remailing itself to everybody in your VNET >mailing lists, generating "billions and billions" of messages. I believe the >net totally crashed at least twice and more at various locations. The >perpetrator was never found, and worse of all there seem to be no quick >answer/change that will avoid this in the near future. This is an extremely inaccurate account of the incident, its repercussions, and its resolution. (For instance, the perpetrator was found.) See recent articles in comp.risks for a number of articles providing a correct account of the incident. -- Rich Kulawiec, rsk@s.cc.purdue.edu, s.cc.purdue.edu!rsk PUCC Unix Staff
papa@pollux.usc.edu (Marco Papa) (01/04/88)
In article <1847@s.cc.purdue.edu> rsk@s.cc.purdue.edu.UUCP (Frozen Wombat) writes: >In article <5996@oberon.USC.EDU> papa@pollux.usc.edu () writes: >>I installed a variety of viruses as part of a graduate course on computer >>security at USC over 4 years ago. > I am surprised, however, that routine coursework involved breaking >the security of individual users' accounts. Our SOP for dealing with >such individuals is to revoke their account and refer them to the Dean of >Students; if evidence exists that they used their access to a user's account >to read private files, then they're probably in violation of the Federal >Privacy Act. I believe that this is also the case at USC, too. These were all "supervised" break-ins. The professor was present when the thing happened, and the then chairman of the CS dept approved it. No files were even looked at, and the owners of the accounts were promptly notified. It was basically a controlled experiment. >>IBM's VNET worldwide network was put to a halt for almost two >>weeks just before Christmas, when a "virus Christmas card" was sent out over >>it. The virus would spread by remailing itself to everybody in your VNET >>mailing lists, generating "billions and billions" of messages. I believe the >>net totally crashed at least twice and more at various locations. >> The perpetrator was never found, and worse of all there seem to be no quick >>answer/change that will avoid this in the near future. > >This is an extremely inaccurate account of the incident, its repercussions, >and its resolution. (For instance, the perpetrator was found.) See recent >articles in comp.risks for a number of articles providing a correct account >of the incident. Sorry but I stand by my quote. These are some other ones from comp.risks: ...massive network shutdown -- Ross Patterson, Rutgers University ... virtually paralized IBMs internal network -- The perpetrator was indeed found. Sorry but I read comp.sys.amiga BEFORE comp.risks :-) Too much news backlog after a week's vacation. The virus came from EARN node in Germany and then spread to other networks (BITNET and VNET). The guy who did it was a student. Boy are we getting a bad name in Europe for viruses :-) -- Marco
fnf@mcdsun.UUCP (Fred Fish) (01/05/88)
In article <5996@oberon.USC.EDU> papa@pollux.usc.edu () writes: > .... For this reason, I throw away stuff >from comp.binaries.amiga. I will only use my OWN compiled version from >comp.sources.amiga. Again, I am playing safe. I understand that Fred >compiles himself most of the sources he gets. When I do use a binary-only >from the Fish disks, I make sure that all my disks have write protect tabs >on them, and shut off the machine afterwards. ... Unfortunately I no longer have the luxury of having enough time to recreate any supplied binaries from the supplied sources. Without knowing exactly which version of a compiler was used, and with what patches to the compiler, it can be almost impossible to duplicate the binary, byte-for-byte. Since the supplied binary has presumably had more testing by the author than I could hope to perform on a different binary, I generally include whatever is supplied, testing it only to the extent of verifying that I can run it on my machine and that it performs as advertised without any obvious detrimental side effects. Now that I have the vcheck program I also run that occasionally to make sure my memory is still clean. I'd like to see a version of vcheck that runs in the background, wakes up periodically to test memory and all accessible disks, and puts up an alert of some type the first time it finds anything suspicious about a particular disk. It would be nice if it could somehow be triggered to test disks automatically at any diskchange signal. -Fred -- # Fred Fish hao!noao!mcdsun!fnf (602) 438-3614 # Motorola Computer Division, 2900 S. Diablo Way, Tempe, Az 85282 USA
sean@ms.uky.edu (Sean Casey) (01/05/88)
In article <5998@oberon.USC.EDU> papa@pollux.usc.edu (Marco Papa) writes: >...massive network shutdown -- Ross Patterson, Rutgers University >... virtually paralized IBMs internal network -- > >The perpetrator was indeed found. Sorry but I read comp.sys.amiga BEFORE >comp.risks :-) Too much news backlog after a week's vacation. The virus >came from EARN node in Germany and then spread to other networks (BITNET >and VNET). The guy who did it was a student. I got bit by some IBM virus that's been propagating. It is an exec file that prints a chistmas tree, gifts, etc. on your screen. It also sends copies of itself to everyone in your NAMES file (a file of mailing addresses and aliases). It keeps looping through the file and sending mail over and over again until the exec is manually stopped. I got 6 copies of an very strange looking file from a friend of mine (I am on a uVaX II running 4.3). Of course, since we don't have exec :-), it didn't propagate from the vax. When I asked my friend about it, he said the system administrators were having quite a fun time trying to track down and squash all copies. It seems that new copies kept coming in from bitnet sites daily! This is an example of a "harmless" virus. Like the Switzerland virus, it's sole purpose was to propagate as widely as possible. Unfortunately, it ate a lot of network bandwidth, and both system and user disk space. It also annoyed a lot of people. Sean -- -- Sean Casey sean@ms.uky.edu, sean@UKMA.BITNET -- (the Empire guy) {rutgers,uunet,cbosgd}!ukma!sean -- University of Kentucky in Lexington Kentucky, USA -- "My feet are wet."
brent@questar.QUESTAR.MN.ORG (Brent Nordquist) (01/05/88)
In article <5996@oberon.USC.EDU> papa@pollux.usc.edu () writes: | Bill Landreth (the guy was found |recently, he's not dead), used a similar scheme when he gained access to almost |all of ARPAnet a few years back. His book (I forget the title, the publisher |is Microsoft Press) is good reading for anybody interested in the subject. |-- Marco Papa The book is called "Out of the Inner Cirle." It is indeed good reading; I used it as one of the sources for a paper on computer security I wrote once. However, I'm curious; are you serious that he's not dead? I remember reading an obit-type article in the paper a while back. Could you please elaborate? (If you're bull:-)ing me I'm gonna be ticked!) -- Brent Nordquist brent@questar.mn.org {amdahl,ihnp4}!meccts!questar!brent
bill@cbmvax.UUCP (Bill Koester CATS) (01/05/88)
In article <630@mcdsun.UUCP> fnf@mcdsun.UUCP (Fred Fish) writes: >I'd like to see a version of vcheck that runs in the background, wakes up >periodically to test memory and all accessible disks, and puts up an >alert of some type the first time it finds anything suspicious about a >particular disk. It would be nice if it could somehow be triggered to >test disks automatically at any diskchange signal. > It's in the works! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester (CATS) >>Commodore Amiga Technical Support<< Commodore International Ltd. UUCP ..{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355
itkin@stsci.EDU (Elliot Itkin) (01/06/88)
In article <3082@cbmvax.UUCP>, bill@cbmvax.UUCP (Bill Koester CATS) writes: > In article <630@mcdsun.UUCP> fnf@mcdsun.UUCP (Fred Fish) writes: > >I'd like to see a version of vcheck that runs in the background, wakes up > >periodically to test memory and all accessible disks, and puts up an > >alert of some type the first time it finds anything suspicious about a > >particular disk. It would be nice if it could somehow be triggered to > >test disks automatically at any diskchange signal. > > > It's in the works! > Bill Koester (CATS) >>Commodore Amiga Technical Support<< > Commodore International Ltd. UUCP ..{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill AH HA! A virus that checks for viruses! By the way, people have said that you can only get a virus from BOOTING an infected disk. It as been mentioned (and continues to be mentioned) that the instigator could be a program that (among other things) implants the virus. This means that you could get a virus from just executing a PD program (even one from Fred Fish). This means that you are *NOT* safe just because you don't boot. I have been told that there is a nifty PD demo (some graphic animation thing with a MAX Headroom type character) that does this. Anyone else heard of it? -- Elliot S. Itkin Space Telescope Science Institute, Baltimore, MD 21218 UUCP: {arizona,decvax,hao,ihnp4}!noao!stsci!itkin ARPA: itkin@stsci.edu SPAN: {SCIVAX,KEPLER}::ITKIN
Patrick_Amigan_Gross@cup.portal.com (01/06/88)
In an article Fred Fish stated that he would like a program that could detect the virus in memory every now and then. This can be done with the current version of VCheck. File of all use file zap and put a few control G's into the line of Vcheck that tells you you have a virus. Put Vcheck and the Wait statement in RAM:. Now create a batch file with the following lines. Failat 100 Vcheck wait 30 The Vcheck and Wait 30 lines should be repeated several hundred times int in the batch file. This can be done easily with Txed or Microemacs. Now execute this file in your startup sequence. If the virus is in memory the screen will flash ever 30 seconds. This is a hack but it does work...saved me many a time. Remember : "Multitask till you drop" Patrick Gross CLI Cochairmen Baltimore Amiga User's and Developer's
haitex@pnet01.cts.com (Wade Bickel) (01/06/88)
itkin@stsci.EDU (Elliot Itkin) writes: >In article <3082@cbmvax.UUCP>, bill@cbmvax.UUCP (Bill Koester CATS) writes: >AH HA! A virus that checks for viruses! > >By the way, people have said that you can only get a virus from BOOTING an >infected disk. It as been mentioned (and continues to be mentioned) that >the instigator could be a program that (among other things) implants the >virus. This means that you could get a virus from just executing a PD >program (even one from Fred Fish). This means that you are *NOT* safe just >because you don't boot. I have been told that there is a nifty PD demo >(some graphic animation thing with a MAX Headroom type character) that does First of all, to be a virus a program must propogate itself. Second, please don't be so specific about how more "mines" can be laid. I'm sure that with a couple of weeks work I could write a real nasty one of the little germs, and it would be neat to talk about how it might be done, but THIS IS NOT THE PLACE! Don't give people the blueprints for disaster. Thanks, Wade. UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex ARPA: crash!pnet01!haitex@nosc.mil INET: haitex@pnet01.CTS.COM
ccasttd@pyr.gatech.EDU (Thomas M. Dixon Jr.) (01/08/88)
In article <7976@g> sean@g writes: >In article <5998@oberon.USC.EDU> papa@pollux.usc.edu (Marco Papa) writes: >>...massive network shutdown -- Ross Patterson, Rutgers University >>... virtually paralized IBMs internal network -- [ lots 'o stuff edited out. ] > >This is an example of a "harmless" virus. Like the Switzerland virus, ^^^^^^^^^^^^^^^^ kind of a contradiction in terms. >it's sole purpose was to propagate as widely as possible. >Unfortunately, it ate a lot of network bandwidth, and both system and >user disk space. It also annoyed a lot of people. > >-- Sean Casey sean@ms.uky.edu, sean@UKMA.BITNET While this virus was a problem due to the network overload it caused, It's harmless nature is demonstrated by one fact: It dies on Feb 1, 88 and will no longer propagate itself after that date. If the SCA virus was indeed so harmless, Why wasn't it designed to kill itself (of be easily killed) after it made its point the way xmas exec was. Thomas M. Dixon Jr ccasttd @ pyr.gatech.edu
haitex@pnet01.cts.com (Wade Bickel) (01/09/88)
ccasttd@pyr.gatech.EDU (Thomas M. Dixon Jr.) writes: > >While this virus was a problem due to the network overload it caused, It's >harmless nature is demonstrated by one fact: > It dies on Feb 1, 88 and will no longer propagate itself after that > date. > >If the SCA virus was indeed so harmless, Why wasn't it designed to kill itself >(of be easily killed) after it made its point the way xmas exec was. Good point. Had they designed it to kill itself at, say, generation number 5 or 10 it would have been much less dangerous. But then, they're the "Swiss Cracking Association", a group that slanders the name of the Swiss, obviously asocial vandals. Wade. UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex ARPA: crash!pnet01!haitex@nosc.mil INET: haitex@pnet01.CTS.COM