[comp.sys.mac] Possible Trojan horse Warning!

mxmora@unix.SRI.COM (Matt Mora) (02/08/90)

I read on Applelike today (7-7-90) that there is a 
posible trojan horse warning on the east coast.
The Programs names are Fontfinder and mosaic.

THESE ARE DESTRUCTIVE! they will erase your
any mounted volumes(hard disk or floppies)
and rename them Gotcha. I think Fontfinder
is set to go off at a certain date.

I left the article at home and I will post it
tomorrow unless someone else posts it first.

I just want to prewarn you about these programs.

I am writing this from memory so I am not
positive of these names.


-- 
___________________________________________________________
Matthew Mora
SRI International                       mxmora@unix.sri.com
___________________________________________________________

kulp@cs.nps.navy.mil (Jeff Kulp x2174) (02/08/90)

	This is cross posted from comp.virus.  It gives search strings for
Virus Detective to detect and remove the trojan.


>From: USERGOLD@UALTAMTS.BITNET (Peter Johnston)
Newsgroups: comp.virus
Subject: Trojan Alert (MAC)
Message-ID: <0009.9002021158.AA26135@ge.sei.cmu.edu>
Date: 1 Feb 90 22:00:32 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 69
Approved: krvw@sei.cmu.edu

We have detected a new (to us) Macintosh trojan at the University of
Alberta.   Two different strains have been identified.   Both are
dangerous.

The first strain is imbedded in a program called 'Mosaic', type=APPL and
Creator=????.   When launched, it immediately destroys the directories
of all available physically unlocked hard and floppy disks, including
the one it resides on.   The attacked disks are renamed 'Gotcha!'.

Unmounted but available SCSI hard disks are mounted and destroyed by the
trojan.   The files of hard disks are usually recoverable with one of
the available commercial file utility programs, but often the data file
names are lost.   Files on floppy diskettes usually lose their Type and
Creator codes as well, making recovery a non-trivial procedure.

The second strain was detected in a Public Domain program called
'FontFinder', Type=APPL and Creator=BNBW.   It  has a trigger date of 10
Feb 90.   Before that date, the application simply displays a list of
the fonts and point sizes in the System file.

On or after the trigger date, the trojan is invoked and disks are
attacked as for the first strain.   The trojan can be triggered by
setting forward the Mac system clock.

Because the second strain has a latency period during which it is non-
destructive, it is much more likely to be widespread.   Both trojans
were originally downloaded from a local Macintosh BBS here in Edmonton.
The second version was part of a StuffIt! archive named 'FontFinder.sit'
that also contained documentation and the source code for the FontFinder
application.   This source code does NOT contain the source code for the
trojan.

A quick-and-dirty search string for VirusDetective (v/3.0.1 or later)
has been developed that appears to detect the trojan engine in both
strains.   It is:

        Resource CODE & ID = 1 & Data 44656174685472616B

Note that this will detect the currently known versions, but may or may
not detect mutated versions of this trojan.

There is some evidence that these trojans are related based on
preliminary investigation of the code.   It has been speculated that the
second is an 'improved' version of the first (more sophisticated), or
that the two versions were developed by two individual perpetrators
working with the same trojan engine.   There easily could be more
versions either circulating or being developed.

This appears to be the first deliberately destructive malicious code
that targets on the Macintosh.   There is some suspicion that one or
both have been developed locally.   There is also the possibility that
one or both were uploaded from a BBS in the Seattle, Washington area.

Our investigation is far from complete, but is continuing.
Please warn your Mac users to make proper back-ups on a regular basis,
be suspicious of all software not received from a trusted source until
tested, and generally, to practice 'safe computing'.

Any additional information on these two trojans or similar malicious
code would be appreciated.   As and when our investigation turns up more
details, they will be posted...

Peter Johnston, P. Eng.
Senior Analyst, University Computing Systems,
352 - GenSvcBldg, The University of Alberta
Edmonton, Alberta CANADA   T6G 2H1
Phone:  403/492-2462
FAX:    403/492-7219
EMAIL:  usergold@ualtamts.bitnet