bskendig@phoenix.Princeton.EDU (Brian Kendig) (12/08/89)
In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >A new Macintosh virus named "WDEF" has been discovered in Belgium, >at Northwestern University, and at the University of Texas. > >The WDEF virus infects the invisible "Desktop" files used by the >Finder. Every Macintosh disk has one of these files (hard drives >and floppies). The virus spreads from Desktop file to Desktop >file, but it does not infect applications, data files, or system >files. > > ... > >You do not have to run a program for the virus to spread. Then how *does* it spread? I've learned not to get worried at the sight of what might be a bad virus. (Just look at the DataCrime virus in the IBM PC that was supposed to wipe hard drives clean on Columbus Day - nothing big ever came of that, but people panicked anyway.) Now this alleged WDEF virus comes along. First of all, how can it possibly do any damage from the DeskTop file? The DeskTop is data only - it is not run. The only way it could do damage is by persuading the Finder to go on a rampage of some sort. This would be analogous to a book that made everyone who read it immediately go out and kill someone without realizing it - not highly likely. Secondly, so what if the WDEF *is* a virus? What program would look for a WDEF in the DeskTop file? A WDEF is a Window DEFinition resource (providing those funky NeXT-style window INITs, for example.) The DeskTop is used primarily for icons and other miscellaneous Finder information. The Finder gets its WDEF resources from the System. If the Finder were to check every resource in the DeskTop file just to make sure it didn't need any of them, it would run awfully slowly. Therefore, it doesn't search for anything it doesn't need - and it certainly doesn't need WDEF's from the DeskTop, and even if it did, it certainly wouldn't switch from interpreting them as data for drawing windows to data for messing with files. Thirdly, I'd like to remind everyone that there have been three postings before this one about the virus. The first announced it. The second followed impressively quickly, and introduced 'Eradicator!' to fix it. The third was a post from someone at Stanford who *thinks* he has the virus, and has also downloaded 'Eradicator!' to fix it. Now, call me a doubting Thomas, but I find it highly unusual that (a) someone could whip up a patch that quickly after the virus was discovered, (b) the virus could spread that quickly from the three source locations (hmm...) to Stanford, and (c) that the virus appeared at Stanford at around the same time that 'Eradicator!' was introduced there. (The posted didn't say whether he downloaded 'Eradicator!' after he suspected the virus, or if he just downloaded the program to be safe and only later found traces of funny business.) Also, if the virus only affects the DeskTop file and copies itself, with no other effect on the use (as the original annoucement stated), how did the Stanford folks notice it? Does everyone at Stanford have a IIci? (I only rarely check the resources in my DeskTop file just for the heck of it. ;-) I'm not blaming anyone for anything. I'm just stating that the events thus far surrounding the 'virus' have been somewhat questionable. I will wait for more information before I set up my defenses against the WDEF virus. << Brian >> -- | Brian S. Kendig ^ Macintosh | /\ _||_ | bskendig | | Computer Engineering |\ Thought | /__\ \ / | @phoenix.Princeton.EDU | | Princeton University | \ Police | || \/ | @PUCC.BITNET | | Systems Engineering, NASA Space Station Freedom / General Electric WP3 |
6600pete@hub.UUCP (12/08/89)
From article <12044@phoenix.Princeton.EDU>, by bskendig@phoenix.Princeton.EDU (Brian Kendig): > In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >>The WDEF virus infects the invisible "Desktop" files used by the >>Finder. >> ... >>You do not have to run a program for the virus to spread. > > Then how *does* it spread? > [ uninformed skepticism about the possibility of such a thing ] The Desktop file is a resource file. Finder leaves it open. MultiFinder leaves it open ALL THE TIME. Resources come from resource files in a precedence according to the order that their resource files are opened. Lots of Toolbox calls get resources, including window manager calls. A WDEF (window definition resource) 0 in the Desktop file could easily be found before the WDEF 0 in the System file, which of course is opened first and searched last for resources. The source code for WDEF 0 is easily obtainable, and therefore modifiable. Are you beginning to get the picture? Now think about this: a WDEF can do anything it damn well pleases; it can write a file or draw a window or both. And the Finder uses it! So you don't even have to run anything special to infect other disks. I don't know that this is how the virus works; however, it could easily be the case. > [ uninformed skepticism about how such a thing might be discovered ] Programmers crawl the Desktop file all the time. WDEF's do NOT belong there. > [ semi-informed doubt about propogation of a virus dpendent on the Desktop file ] I admit it, you've got me skeptical about this. Normally, the excuse for rapid virus propagation is the network. Can't be so in this case. But keep in mind that Universities, Stanford included, have a relatively high international population. A student or faculty member might have brought it a floppy from Europe on a plane, a disk could have been sent in the mail. It only takes one. Also, keep in mind that you are reading messages within three days after the REPORT of the virus. It might have been propogating for weeks without discovery. > I find it highly unusual that (a) > someone could whip up a patch that quickly after the virus was > discovered, It doesn't strike me that writing a shield for this particular virus would be all that difficult. One trap patch. No big deal. > I will wait for more information before I set up my defenses against > the WDEF virus. Well, here's your more information. Please don't make the mistake of thinking this virus is hype. So far, we haven't had any viruses of the drive- erasing type, but then again we don't know too much about this one, and it might be a time bomb... In any case, here is some final info for you: Norstad tells me in mail he's already got a fix in Disinfectant 1.4 for this thing. Can you think of a reason he'd lie about such a thing? ------------------------------------------------------------------------------- Pete Gontier | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa Editor, Macker | Online Macintosh Programming Journal; mail for subscription Hire this kid | Mac, DOS, C, Pascal, asm, excellent communication skills
henry@chinet.chi.il.us (Henry C. Schmitt) (12/09/89)
In article <12044@phoenix.Princeton.EDU> bskendig@phoenix.Princeton.EDU (Brian Kendig) writes: >In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >>A new Macintosh virus named "WDEF" has been discovered in Belgium, >>at Northwestern University, and at the University of Texas. >> >>You do not have to run a program for the virus to spread. > >Then how *does* it spread? > >I've learned not to get worried at the sight of what might be a bad >virus. (Just look at the DataCrime virus in the IBM PC that was >supposed to wipe hard drives clean on Columbus Day - nothing big ever >came of that, but people panicked anyway.) > [Stuff Omitted] >Now, call me a doubting Thomas,... > [ More stuff omitted ] >I'm not blaming anyone for anything. I'm just stating that the events >thus far surrounding the 'virus' have been somewhat questionable. > >I will wait for more information before I set up my defenses against >the WDEF virus. > > << Brian >> > >-- Brian (and other doubters) - Set up your defenses NOW! In case you didn't note the originator of the message, John Norstad is NOT a Panic Monger. If he's posting information about the virus, it means he has a copy, has confirmed its viral status and is in the process of disassembling it to find the gory details of how it works (if he already hasn't completed that)! As for your insinuation that he may be doing this for profit on an antivirus program, please note that he is distributing Disinfectant for _FREE_ at Northwestern University's expense! Also note that he specifically says the his program does NOT recognize the virus. I personally doubt the reports of any new virus (such as the MacWite Virus) until John has had his say. As to the method of spread of the virus, John may not have completely determined it at this time and is refraining from giving out partial or mis-information. I _strongly_ recommend that you start taking precautions NOW rather than waiting until it's too late! If it's been found in as wide-spread locations as Belgium, Illinois, and Texas you better believe it's all over! Henry C. Schmitt Author of Virus Encyclopedia P.S. I'll try and spend time this weekend updating Virus Encyclopedia. Look for a new version soon! -- H3nry C. Schmitt | CompuServe: 72275,1456 (Rarely) | GEnie: H.Schmitt (Occasionally) Royal Inn of Yoruba | UUCP: Henry@chinet.chi.il.us (Best Bet)
jln@accuvax.nwu.edu (John Norstad) (12/09/89)
In article <12044@phoenix.Princeton.EDU> bskendig@phoenix.Princeton.EDU (Brian Kendig) writes: >Then how *does* it spread? (In reference to the new WDEF virus). I don't discuss the internal mechanisms of viruses in public. It *does* spread from disk to disk. We have completely disassembled the virus, we understand its basic replication mechanism, we've run experiments and watched it spread, we've stepped through it with a debugger, etc. >I've learned not to get worried at the sight of what might be a bad >virus. (Just look at the DataCrime virus in the IBM PC that was >supposed to wipe hard drives clean on Columbus Day - nothing big ever >came of that, but people panicked anyway.) Nobody is recommending panic. But it does appear that this virus has been around for several months, it may be widespread, and it does cause a number of problems because of bugs in the virus. We know all of this for certain - this is not conjecture or rumor. >Now this alleged WDEF virus comes along. First of all, how can it >possibly do any damage from the DeskTop file? (... a long discussion >about why this virus couldn't possible work) Again, I will not go into details here except to say that it does work. >Thirdly, I'd like to remind everyone that there have been three >postings before this one about the virus. The first announced it. >The second followed impressively quickly, and introduced 'Eradicator!' >to fix it. The third was a post from someone at Stanford who *thinks* >he has the virus, and has also downloaded 'Eradicator!' to fix it. > >Now, call me a doubting Thomas, but I find it highly unusual that (a) >someone could whip up a patch that quickly after the virus was >discovered, (b) the virus could spread that quickly from the three >source locations (hmm...) to Stanford, and (c) that the virus appeared >at Stanford at around the same time that 'Eradicator!' was introduced >there. (The posted didn't say whether he downloaded 'Eradicator!' >after he suspected the virus, or if he just downloaded the program to >be safe and only later found traces of funny business.) The virus was discovered last weekend by the three programmers in Belgium who wrote Eradicator!. We discovered it here independently in one of our Mac labs on Tuesday. By coincidence, shortly after we discovered it here I received a note about the Belgium discovery. I immediately began disassembling and testing the virus with the help of a group of other virus-fighters on the Internet (authors of virus-fighting programs and other experts, including the authors of SAM, Virex, Virus Detective, GateKeeper, and Virus Rx. I am the author of Disinfectant). Some of the members of this group are at Stanford, the University of Texas, and the University of New Mexico, and after they were notified of the existence of the new virus they checked and discovered infections at their locations. Another member of the group reports discovering infected backup disks dating back to October 14, so we now know that the virus has been around for some time. Once we felt that we understood the virus sufficiently to announce it to the public, I prepared and posted my original announcement. Shortly thereafter I received a copy of Eradicator! from Belgium, performed some quick experiments on my Mac II, and posted it to the nets. Shortly after that I received a note from Chris Johnson, the author of GateKeeper, that it bombed on 68000-based machines, and I posted my note about that. >Also, if the virus only affects the DeskTop file and copies itself, >with no other effect on the use (as the original annoucement stated), >how did the Stanford folks notice it? Does everyone at Stanford have >a IIci? (I only rarely check the resources in my DeskTop file just for >the heck of it. ;-) The virus has several bugs. It causes Mac IIcis to crash horribly, and we know why. It causes problems with AppleShare servers which we can reproduce but which we do not yet fully understand. It causes frequent crashes when attempting to save files in certain applications, and we haven't figured out that one yet either. Our research continues, and we hope to have more information soon. In the case of Stanford, I believe that they used Jeff Shulman's Virus Detective to locate the virus, after we had first discovered it and figured out how to configure Virus Detective to catch it. >I'm not blaming anyone for anything. I'm just stating that the events >thus far surrounding the 'virus' have been somewhat questionable. Now that I've given you some more information, I hope that I've convinced you that this one is for real. We don't know exactly how widespread it is, and we still have some unanswered questions, but everything we've stated publicly so far is confirmed fact. >I will wait for more information before I set up my defenses against >the WDEF virus. I would recommend that you at least use Virus Detective or ResEdit to check your Desktop file for WDEF resources, and rebuild your Desktop files if you find them. See my original posting for more details. Eradicator! may be buggy even on 68020 and 68030-based machines - as I mentioned, I can't guarantee it since I didn't write it and I don't have source code. Use it at your own risk. John Norstad Northwestern University jln@acns.nwu.edu
ksuzuki@dip.eecs.umich.edu (Katsu Suzuki) (12/09/89)
In article <1989Dec8.164800.8091@chinet.chi.il.us> henry@chinet.chi.il.us (Henry C. Schmitt) writes: > >Brian (and other doubters) - > Set up your defenses NOW! In case you didn't note the >originator of the message, John Norstad is NOT a Panic Monger. If OK. I found out that my disks also had WDEF in Desktop. It seems this virus is widely spread in University of Michigan too, as also posted in previous message. > I _strongly_ recommend that you start taking precautions NOW >rather than waiting until it's too late! If it's been found in as >wide-spread locations as Belgium, Illinois, and Texas you better >believe it's all over! BUT, what can I do to defend my HD from infection? Of course, I can check frequently, but if just inserting infected disk infect HD, trying to check infection makes HD to be infected. Now I am so afraid of using floppy disks. Exactly when will HD be infected? When floppy disk is inserted? Or when floppy is inserted when Finder is working? I don't know well how System and Finder access Desktop. I hope some experts answer my question and release us from fear. Katsu >
wwtaroli@rodan.acs.syr.edu (Bill Taroli) (12/09/89)
I must agree with the earlier posting about the skepticism of the virus. Quite frankly, if this WDEF does have code in it that's installing resources into the Desktop then why are the virus detection programs (like GateKeeper) not able to catch it? Is it just because the WDEF isn't running as a program? If not, then why? Also, one thing that people who seem to be very knowledgable about this virus have said next to nothing about how it actually gets in, and why (again) this would make it more difficult to find than say nVIR... Any ideas? Bill Taroli WWTAROLI@RODAN.acs.syr.edu
dplatt@coherent.com (Dave Platt) (12/09/89)
In article <1044@zip.eecs.umich.edu> ksuzuki@dip.eecs.umich.edu.UUCP (Katsu Suzuki) writes: > BUT, what can I do to defend my HD from infection? Of course, I can check > frequently, but if just inserting infected disk infect HD, trying to > check infection makes HD to be infected. Now I am so afraid of using > floppy disks. > > Exactly when will HD be infected? When floppy disk is inserted? Or when > floppy is inserted when Finder is working? I don't know well how System > and Finder access Desktop. I hope some experts answer my question and > release us from fear. Infections can occur if you're in the Finder (uni- or Multi-), or are running any other program which opens the Desktop file. I don't believe they can occur if all of your Desktop files are closed. The infection mechanism seems to require that you open at least one window. If your hard disk is infected, then other volumes (floppies, Syquests, etc.) can become infected under the above circumstances. The infection isn't a "sure thing", but it becomes increasingly likely after a fairly short period of time. If your hard disk is not infected, and you insert an infected floppy, the infection may spread to your hard disk if the above conditions are true. Once again, the infection is not certain, but is likely. The WDEF virus does not infect applications, application documents, or System files. As far as we know, it can't be contracted by downloading a program from a bulletin-board system, from comp.binaries.mac, etc. It's carried from machine to machine via floppy disks and other dismountable volumes. What you can do to disinfect and protect your system: 1) If you have a Mac II, IIx, IIcx, IIci, or SE/030, install the Eradicator! INIT. It's not perfect or foolproof, but it does appear to provide a substantial amount of protection against this virus. It will disinfect your boot volume when it installs itself, and will disinfect any newly-inserted floppies. A triple-beep means that the WDEF virus has been detected in the Desktop file. It will be removed, unless the diskette is locked... in which case the disk will be ejected or unmounted. A single beep means that Eradicator! could not read the Desktop file. This can happen if you initialize a new floppy, or run a RAMdisk installer, or pop in a backup diskette written by an application which doesn't maintain the Desktop file (e.g. DiskFit). A single beep is not a reason for alarm. Do not run Eradicator! 1.0 on a Mac Plus or SE... it will bomb during the boot sequence. The authors are working on a new version which won't have this problem. Eradicator! is actually a broad-spectrum antiviral; it will zap WDEF, and any other virus which attempts to store executable code in the Desktop file. It will not detect or remove viruses such as nVIR, which store code in the System file or in applications. 2) You can use VirusDetective, with the additional search-string recommended by Jeff Shulman (Creator=ERIK & Resource WDEF & Any). Run VirusDetective under any application _other_ than the Finder, so that the Desktop files are all closed. If VirusDetective tells you that it has found the WDEF resource, you may safely remove the viral resource from the Desktop file (note... this is NOT safe to do with other viruses such as nVIR or SCORES; these require a more complex disinfection technique). If you start up VirusDetective, then you can simply start popping floppies into your Mac... VirusDetective will scan 'em, and if they're clean (or after you remove the WDEFs) it will eject them. 3) In a pinch, you can reboot, and hold down the command and option keys before the Finder desktop is drawn... and then say "Yes" when asked if you want to rebuild the Desktop file(s) on your hard disk partition(s). Keep the command and option keys down until the Desktop files on all of your volumes have been rebuilt. You'll lose your Finder comments and perhaps some document icons... but the WDEF virus will also be removed. You can do the same for floppy disks... while in the Finder, hold down command and option, insert the disk, and OK the desktop rebuild. Eject the floppy, and repeat this sequence as necessary to cleanse all of your suspect floppies. Within the next few weeks, you can probably expect to see updated versions of the popular freeware/shareware/commercial virus detectors and disinfection tools. -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
pff@beach.cis.ufl.edu (Pablo Fernicola) (12/09/89)
In which files should I look for the WDEF resource?? Thanks! Pablo pff@beach.cis.ufl.edu -- pff@beach.cis.ufl.edu - Pablo Fernicola - Machine Intelligence Laboratory - UF IF YOU CARE ENOUGH TO READ SIGNATURES ... I am graduating next year and I am looking for a job. MS/BS EE, my graduate work incorporates OO-DBMS/Graphics/Robotics/AI
jln@accuvax.nwu.edu (John Norstad) (12/09/89)
Unfortunately, we have received two reports of serious problems with version 1.0 of the Eradicator! INIT that I posted a few days ago, even on 68020 and 68030-based machines. So I recommend that you do not use it. We received source code for the INIT from the authors in Belgium yesterday, and we are working on what we hope will be a more reliable version, and one that will also work on 68000-based Macs. I think it's worth briefly repeating what we know about this thing so far. We have completely disassembled it, we've tested it and watched it spread. It is definitiely a real virus. It has been reported in Belgium and at Northwestern Univ, Univ of Texas, Stanford Univ, Univ of New Mexico, and now the Univ of Michigan. It spreads from Desktop file to Desktop file. It doesn't infect applications, documents, or system files. It gets past all of the currently popular protection INITs, including Vaccine, GateKeeper, SAM Intercept, and Virex INIT. Note of the current detection/ repair programs can detect it, except for Virus Detective (when properly configured with a new search string). Even though the WDEF virus does not INTENTIONALLY try to do any damage, it contains serious bugs which DO CAUSE DAMAGE. Here's the damage that we've seen or heard reports of so far: 1. It causes Mac IIcis to crash always. We know why. 2. It probably causes portables to crash, but we haven't tested this yet. 3. Several people have observed significantly more frequent crashes on Mac IIcxs, especially when trying to save files, and especially in MS Word 4.0. We have heard enough reports of this to be fairly confident that it is indeed the virus that is causing the crashes, but we don't yet know why. 4. We have two reports of damaged floppy disks on infected systems. In fact, here at NU that was how the virus was discovered: my coworker Albert Lunde was helping a user try to recover a damaged floppy, and he saw the string "WDEFVIRUS" on the disk. We are not yet positive that the virus caused this damage, but two independent reports are enough to cause us concern. 5. We know that the virus can cause serious performance problems on AppleTalk networks with AppleShare servers. We have been able to duplicate the problem, but we do not yet understand why it happens or in exactly what set of circumstances. To summarize: It is definitely a virus. It appears to be widespread. It causes damage unintentionally. We thoroughly understand the basic replication mechanism. We understand some of the damage it can cause, but we're still trying to figure out some of the other damage it can cause. Research on this continues. The authors of all of the various anti-virus programs and packages are working together on the Internet, together with other experts. We'll keep you posted as we know more. I will be releasing a new version of my Disinfectant program (1.4) early next week to detect and remove this new WDEF virus. John Norstad Northwestern University jln@acns.nwu.edu
6600pete@hub.UUCP (12/10/89)
From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu (Bill Taroli): > if this WDEF does have code in it that's installing resources into > the Desktop then why are the virus detection programs (like GateKeeper) not > able to catch it? Because they don't watch the Desktop file. > one thing that people who seem to be very knowledgable > about this virus have said next to nothing about how it actually gets in, Yes, the people who know about the internal workings of the virus would rather post those workings to give other virus vandals a chance to write better viruses rather than spending their time on programs to kill the virus. Yeah, the whole thing is a hoax, you're right. What are you thinking? > why (again) this would make it more difficult to find than say nVIR... It's not. It's easy to find. With ResEdit. Read the postings from Norstad headed "Don't Use Eradicator! 1.0 INIT" and a followup from him to this thread. ------------------------------------------------------------------------------- Pete Gontier | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa Editor, Macker | Online Macintosh Programming Journal; mail for subscription Hire this kid | Mac, DOS, C, Pascal, asm, excellent communication skills
jacobson@uxe.cso.uiuc.edu (12/10/89)
Let me at my comments. You may have already seen my post. The last two days I have had problems with the display of outline on my SE at work (and a Mac II I had used the same day sharing floppies!). The day before I had been on campus using the Apple Scanner on one of the labs and the floppy I had been using is the same floppy I used on both machines that have displayed the font outline problem. Now I got it to go away by putting in new system files. I am suspcious of the floppy and will have to check it out. However since eradicator bombs on 68000 machines like my SE at work the only machine I can check it on is my SE/30 here at home (where I am now) I am now wondering if I have the Wdef virus---the symptoms you describe are identical. One interesting note is that they disapear when I leave multifinder and go to finder Russ Jacobson Illinois Geological Survey
jacobson@uxe.cso.uiuc.edu (12/10/89)
I wanted to add another symptom to WDEF. It is here at the U of Illinois I picked it up on a Mac II with scanner at the Microcomputer lab two days ago. After that time (and before I realized I had WDEF) I started having problems with screen displays of my fonts (I have posted a message earlier now I know the source of the trouble).What happened is just like another poster yesterday described. In particular the outline style would not display on my fonts. I also got messages when printing about Chicago 12 not being present and the LaserPrinter trying to substitute some times. After getting WDEF out of my Desktop via rebuilding the desktop file all these symptoms ended. Anyway this is another effect of WDEF! Russ Jacobson Illinois Geological Survey
vallon@sboslab15.cs.sunysb.edu (Justin Vallon) (12/12/89)
In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes: > From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu (Bill Taroli): > > if this WDEF does have code in it that's installing resources into > > the Desktop then why are the virus detection programs (like GateKeeper) not > > able to catch it? > > Because they don't watch the Desktop file. Wouldn't Vaccine catch AddResoruce('WDEF', 0) no matter where it happens? I didn't know that Vaccine ignored references to the Desktop file. It would seem that the authors of Vaccine were putting a great big hole in their protection if they let references to the Desktop get through. I can see how Gatekeeper could be fooled because it does not distinguish between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should check what's going in, and have protection for standard resources, and executable resources. >----------------------------------------------------------------------------- >Pete Gontier | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa >Editor, Macker | Online Macintosh Programming Journal; mail for subscription >Hire this kid | Mac, DOS, C, Pascal, asm, excellent communication skills -Justin vallon@sbcs.sunysb.edu
russotto@eng.umd.edu (Matthew T. Russotto) (12/12/89)
In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >I can see how Gatekeeper could be fooled because it does not distinguish >between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should >check what's going in, and have protection for standard resources, and >executable resources. Huh? This is exactly how gatekeeper works! Maybe 'WDEF' just isn't on it's standard list of code-containing resources. > >-Justin >vallon@sbcs.sunysb.edu -- Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu ][, ][+, ///, ///+, //e, //c, IIGS, //c+ --- Any questions?
mystone@mondo.engin.umich.edu (Dean Yu) (12/12/89)
In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes: >> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu >(Bill Taroli): >> > if this WDEF does have code in it that's installing resources into >> > the Desktop then why are the virus detection programs (like GateKeeper) not >> > able to catch it? >> >> Because they don't watch the Desktop file. > Wrong. >Wouldn't Vaccine catch AddResoruce('WDEF', 0) no matter where it happens? >I didn't know that Vaccine ignored references to the Desktop file. It >would seem that the authors of Vaccine were putting a great big hole in >their protection if they let references to the Desktop get through. > >I can see how Gatekeeper could be fooled because it does not distinguish >between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should >check what's going in, and have protection for standard resources, and >executable resources. > There's nothing wrong with Vaccine or GateKeeper. I just got done perusing the WDEF virus, and it does some pretty sneaky things to around the current watch-dog style protection programs. I'm not going to say what it does. Just trust me when I say that it's pretty clever. And sick. For the record, Vaccine doesn't care where the WriteResource or AddResource comes from, so there's no casing out of the DeskTop file. As a matter of fact, if anyone has ever had Vaccine on when you're updating your System File, you'll know that it catches pretty much every single resource call. _______________________________________________________________________________ Dean Yu | E-mail: mystone@caen.engin.umich.edu Self-declared License Czar | Real-mail: Dean Yu University of Michigan | 909 Church St Computer Aided Engineering Network | Apt C INCLUDE 'Disclaimers.a' | Ann Arbor, MI 48104 -------------------------------------------------------------------------------
jrk@sys.uea.ac.uk (Richard Kennaway) (12/13/89)
In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes: >> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu >(Bill Taroli): >> > if this WDEF does have code in it that's installing resources into >> > the Desktop then why are the virus detection programs (like GateKeeper) not >> > able to catch it? >> >I can see how Gatekeeper could be fooled because it does not distinguish >between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should >check what's going in, and have protection for standard resources, and >executable resources. But that's exactly what it does (version 1.1.1). It has a list of "sacred" resource types (including WDEF), and any file trying to add, modify, or delete any such resource requires "Resource" permission from GateKeeper to do so. For details, see GateKeeper's on-line documentation. I just tried the experiment of creating a file whose type and creator were 'WDEF', signature resource of type 'WDEF', id 0, and appropriate BNDL, FREF, and ICN#. When Finder first saw this file, GateKeeper notified an attempt to AddResource('WDEF',0) by Finder on the DeskTop file. Works as advertised. Note that Finder does not require Resource permissions from GateKeeper and should not be given them. I havent seen the WDEF virus here, so cannot speculate on why GateKeeper would not stop it, nor on whether the virus might be just a badly chosen signature resource type. -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. Internet: jrk@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk
vallon@sbmiclr.cs.sunysb.edu (Justin Vallon) (12/13/89)
In article <1989Dec12.044029.19171@eng.umd.edu>, russotto@eng.umd.edu (Matthew T. Russotto) writes: > In article <4221@sbcs.sunysb.edu>, I wrote: > >I can see how Gatekeeper could be fooled because it does not distinguish > >between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should > >check what's going in, and have protection for standard resources, and > >executable resources. > Huh? This is exactly how gatekeeper works! Maybe 'WDEF' just isn't on > it's standard list of code-containing resources. My original suggesstion was to have a new privilidge for "Code"-containing resources, and "Safe" resources. This way, we could give almost everybody "Safe" privilidges without worrying, and "Code" resources to only certain programs (F/DA Mover, Compilers, ResEdit, etc). I have a question. Does GateKeeper only intercept calls to resource modifications of code-containing resources, or all resources? If GateKeeper only traps code-containing resource modifications, then why is it necessary to give the Finder Res/Other privilidges? I was under the impression that GateKeeper traps all resource modifications, hence the necessity for Res/ Other privilidges for the Finder. Unfortunately, I don't think the documentation gives any indication about (a) whether it traps all resources, or (b) if not all, then the ones that it does trap. > Matthew T. Russotto russotto@eng.umd.edu russotto@wam.umd.edu > ][, ][+, ///, ///+, //e, //c, IIGS, //c+ --- Any questions? -Justin vallon@sbcs.sunysb.edu
6600pete@hub.UUCP (12/13/89)
From article <1989Dec12.103124.7074@caen.engin.umich.edu>, by mystone@mondo.engin.umich.edu (Dean Yu): > In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >>In article <3277@hub.UUCP>, 6600pete@hub.UUCP writes: >>> From article <1501@rodan.acs.syr.edu>, by wwtaroli@rodan.acs.syr.edu >>(Bill Taroli): >>> > if this WDEF does have code in it that's installing resources into >>> > the Desktop then why are the virus detection programs (like GateKeeper) not >>> > able to catch it? >>> >>> Because they don't watch the Desktop file. > Wrong. In my haste to convince people that the WDEF virus does in fact exist, I made an incorrect guess about how it was going about its dirty-work. I still don't know, and I don't want to know. Probably a bit like knowing how to build a nuclear weapon. ------------------------------------------------------------------------------- Pete Gontier | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa Editor, Macker | Online Macintosh Programming Journal; mail for subscription Hire this kid | Mac, DOS, C, Pascal, asm, excellent communication skills
folta@tove.umd.edu (Wayne Folta) (12/13/89)
>I have a question. Does GateKeeper only intercept calls to resource >modifications of code-containing resources, or all resources? If GateKeeper >only traps code-containing resource modifications, then why is it necessary >to give the Finder Res/Other privilidges? I was under the impression that >GateKeeper traps all resource modifications, hence the necessity for Res/ >Other privilidges for the Finder. > >Unfortunately, I don't think the documentation gives any indication about >(a) whether it traps all resources, or (b) if not all, then the ones that >it does trap. I believe GateKeeper Documentation does state what it traps. Looking at GateKeeper's Type resource #1, I see: CODE, INIT, DRVR, cdev, RDEV, FKEY, FMTR, LDEF, MBDF, MDEF, MMAP, ADBS, CACH, CDEF, atpl, NBPC, PACK, PDEF, PTCH, SERD, WDEF, mppc, snth, CUST, XCMD, XFCN. This is documented at the end of the on-line help. So... GateKeeper thinks that it does trap WDEF. -- Wayne Folta (folta@cs.umd.edu 128.8.128.8)
jjw7384@ultb.isc.rit.edu (J.J. Wasilko) (12/14/89)
In article <1989Dec12.044029.19171@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: >In article <4221@sbcs.sunysb.edu> vallon@sboslab15.cs.sunysb.edu (Justin Vallon) writes: >>I can see how Gatekeeper could be fooled because it does not distinguish >>between calls of AddResoruce('MSWD', 0) and AR('WDEF', 0). Maybe GK should >>check what's going in, and have protection for standard resources, and >>executable resources. >Huh? This is exactly how gatekeeper works! Maybe 'WDEF' just isn't on >it's standard list of code-containing resources. Whenever I install the SuperSpoll DA (which contains a WDEF) Vaccine always catches it. It also catches the fact that WinChooser is adding a WDEF resource. Why doesn't it catch the addition of a WDEF resource to the Desktop file? Jeff
ephraim@kulla (Ephraim Vishniac) (12/14/89)
In article <1042@sys.uea.ac.uk> jrk@uea-sys.UUCP (Richard Kennaway) writes: >I havent seen the WDEF virus here, so cannot speculate on why GateKeeper >would not stop it, nor on whether the virus might be just a badly chosen >signature resource type. A just did a quick tour of my own Desktop file, and found that the Finder doesn't copy signature resources into it. Instead, it creates resources of the same type containing just six bytes of data. Since the virus is over six bytes long, I think we can rule this out as its origin or original means of transmission. I don't know what the six bytes of data are in each signature resource in the Desktop. Anybody have a guess? Ephraim Vishniac ephraim@think.com ThinkingCorp@applelink.apple.com Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142 One of the flaws in the anarchic bopper society was the ease with which such crazed rumors could spread.
chrisj@ut-emx.UUCP (Chris Johnson) (12/14/89)
In article <4227@sbcs.sunysb.edu> vallon@sbmiclr.cs.sunysb.edu (Justin Vallon) writes: >My original suggesstion was to have a new privilidge for "Code"-containing >resources, and "Safe" resources. This way, we could give almost everybody >"Safe" privilidges without worrying, and "Code" resources to only certain >programs (F/DA Mover, Compilers, ResEdit, etc). That's exactly what the existing privilege scheme does. >I have a question. Does GateKeeper only intercept calls to resource >modifications of code-containing resources, or all resources? If GateKeeper >only traps code-containing resource modifications, then why is it necessary >to give the Finder Res/Other privilidges? I was under the impression that >GateKeeper traps all resource modifications, hence the necessity for Res/ >Other privilidges for the Finder. Gatekeeper will only consider interfering with attemtps to modify executable resources. By definition, all other resources are harmless. By the way, it is *NOT* necessary to give the Finder Res(Other) privileges. The Finder needs File(Other) privileges which are a totally different issue. Every version of Gatekeeper has included a list of required privileges, and the Finder has always been listed as requiring *only* File(Other) privileges. It has never been listed as requiring anything more. Version 1.1.1 even comes preconfigured, and, again the Finder gets File(Other) and nothing else. This is important because giving the Finder Res(Other) privileges opens up a big doorway to viruses that would otherwise be stopped effortlessly. >Unfortunately, I don't think the documentation gives any indication about >(a) whether it traps all resources, or (b) if not all, then the ones that >it does trap. >-Justin >vallon@sbcs.sunysb.edu The documentation discusses this and even tells you how to edit the resource type tables that Gatekeeper uses to distinguish the different types of resources, e.g. executable resources vs. solely virus related resources. Refer to the on-line help in the Advanced Configuration section. I don't talk about other aspects of Gatekeeper's security system because I want would-be virus authors to waste lots of their time trying to figure out all those details for themselves. Beyond that, it would just intimidate most users trying to understand the product, without improving doing anything to improve their understanding of the product. Cheers, ----Chris (Johnson) ----Author of Gatekeeper ----chrisj@emx.utexas.edu
amanda@mermaid.intercon.com (Amanda Walker) (12/14/89)
In article <32155@news.Think.COM>, ephraim@kulla (Ephraim Vishniac) writes: > I don't know what the six bytes of data are in each signature resource > in the Desktop. Anybody have a guess? Resource ID's for the application's BNDL resource, and so on. Who says the resource manager isn't a database? :-) --Amanda --
rubinoff@linc.cis.upenn.edu (Robert Rubinoff) (12/14/89)
In article <32155@news.Think.COM> ephraim@think.com (Ephraim Vishniac) writes: >A just did a quick tour of my own Desktop file, and found that the >Finder doesn't copy signature resources into it. Instead, it creates >resources of the same type containing just six bytes of data. >I don't know what the six bytes of data are in each signature resource >in the Desktop. Anybody have a guess? It's the resource ID of the BNDL corresponding to that signature. Robert
mystone@mondo.engin.umich.edu (Dean Yu) (12/14/89)
In article <1748@ultb.isc.rit.edu> jjw7384@ultb.isc.rit.edu (J.J. Wasilko) writes: >Whenever I install the SuperSpoll DA (which contains a WDEF) Vaccine >always catches it. It also catches the fact that WinChooser is adding a >WDEF resource. > >Why doesn't it catch the addition of a WDEF resource to the Desktop >file? > >Jeff Because the WDEFs from SuperSpool and WindChooser are normal WDEFs and don't do anything to prevent Vaccine from warning you about it, which is the way it should be. The WDEF virus knows about Vaccine and GateKeeper and performs specific actions to bypass them, which is why neither flags the addition of a WDEF to your Desktop. _______________________________________________________________________________ Dean Yu | E-mail: mystone@caen.engin.umich.edu Self-declared License Czar | Real-mail: Dean Yu University of Michigan | 909 Church St Computer Aided Engineering Network | Apt C INCLUDE 'Disclaimers.a' | Ann Arbor, MI 48104 -------------------------------------------------------------------------------