davidf@cs.hw.ac.uk (David.J.Ferbrache) (02/20/89)
I hope the group will excuse me posting this single followup to the by Jim Wright questioning why the technical report will be given a restricted circulation. Firstly, I have never in the past tried to hush up the virus issue, in fact I distribute the virus-l public mailing list to the UK, and have set up an informations server to distribute details of known viruses, disinfection software and general information on viruses to any site in the UK. I will be using any information gathered to put together a compendium of known viruses for posting on the World wide virus-l mailing list. I therefore contest any implication that I have in any way tried to hush up details of viruses. Secondly, there are just two categories of information which I will not distribute freely, these are disassembled source code for viruses, and details of infection reports that I receive in confidence from any commercial (or indeed academic) establishments. The report I am writting will be dealing with the operation of known viruses in great detail. I suspect that it will probably be suitable for public distribution, although the last thing I wan't to do is to extend the virus menace. Anyone involved in the virus field will know the widespread outrage that followed the release of the source code of even benign viruses. The entire field is very sensitive, and any person writing a report treads a wary line between being flamed for being secretive and being flamed for being to open. Sigh. I agree secrecy is not a means for security. Unfortunately at this time their is a battle between virus writer and virus disinfection program writer. There are strong indications that each time a viruses source code is published either in academic journal or popular journal, a large number of mutant strains pop up. The Apple Mac Hpat virus may be an example of this. I will await follow ups to these and Jim's comments on comp.misc with great interest. Dave Ferbrache Personal mail to: Dept of computer science Internet <davidf@cs.hw.ac.uk> Heriot-Watt University Janet <davidf@uk.ac.hw.cs> 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553
Bob_BobR_Retelle@cup.portal.com (02/22/89)
I agree that this is a sensitive matter... the *ONLY* time I ever tried to surpress any Topic of discussion on GEnie was when the discussion of "Trojan Horses" got too close to discussing ACTUAL methods of destructive programming.. (the term "virus" hadn't yet entered into things..) I didn't want my Roundtable to be the inspiration for some 16-year old "hacker" to "make a name for himself" by using the information in a destructive manner... I did take some flak in the interests of "Freedom of Speech", but in this case I felt it was justified... Where do you draw the line...? Are we better prepared if we see what most destructive programs look like..? Or... can we possibly avoid future problems by surpressing this information now..? I'd like to see the source code for these "viruses", but who's to believe that *I* won't use them destructively...? No answers, I'm afraid... BobR
fmr@cwi.nl (Frank Rahmani) (02/23/89)
> Xref: mcvax comp.sys.atari.st:13510 comp.sys.apple:9753 comp.sys.mac:24408 comp.sys.ibm.pc:21229 > Where do you draw the line...? Are we better prepared if we see what most > destructive programs look like..? Or... can we possibly avoid future > problems by surpressing this information now..? Yes, you are better prepared when you know what ALL (not most) viruses look like. Once you got one, you can easily identify it, write your own virus-checkers etc. And what you mean by 'surpressing this information'? You would be the FIRST person in the world if you manage to do so. You just can't. Nobody can. You just get people curious. I saw experienced programmers spending their time to disassemble the INTERNET-virus. Not because they want to duplicate it, they just want to know how it works. So they can find remedies against it. > I'd like to see the source code for these "viruses", but who's to believe > that *I* won't use them destructively...? I want to see the source too. So that I know what hits me in the night. I'm very shure I wan't use them destructively (except on my own stuff:-). I hate to see some 16-year old breaking my system and I don't even know how hw did it. > No answers, I'm afraid... The only answer is spread your information, only informed people can take the right decisions > BobR fmr@cwi.nl -- It is better never to have been born. But who among us has such luck? Maintainer's Motto: If we can't fix it, it ain't broke. These opinions are solely mine and in no way reflect those of my employer.
trebor@biar.UUCP (Robert J Woodhead) (02/23/89)
In article <14940@cup.portal.com> Bob_BobR_Retelle@cup.portal.com asks: >Where do you draw the line...? Are we better prepared if we see what most >destructive programs look like..? Or... can we possibly avoid future >problems by surpressing this information now..? In the history of the world, no effort to suppress technological change has ever had more than a temporary effect. The real question is not "should we talk about this?" but rather "how can we discuss this in a reasonable manner?" One way to do this is differentiate between public and private comments; the former should be non-technical and instructive; "Here is what to do to detect and repair virus X". The latter can be technical and speculative; "Here is a new way to infect Mac applications; what can we do to fix this?". No matter what, information is going to leak out to those who would use it irresponsibly. The trick is to keep the people who are involved in reducing the impact of such irresponsible behavior better informed than the vandals. PS: Being new on the net, I'm not hooked in to any private or semiprivate discussions in re viruses. If there are any newsgroups I should be reading, or any mailing lists I should be on, please let me know. Thankyou +---------------------------------------------------------------------------+ | Robert J Woodhead !uunet!cornell!biar!trebor CompuServe 72447,37 | | Biar Games, Inc., 10 Spruce Lane, Ithaca NY 14850 607-257-1708,3864(fax) | +---------------------------------------------------------------------------+ | Games written, Viruses killed "I'm the head honcho of this here spread; | | While U Wait. Take a number. I don't need no stinking disclaimers!!!" | +---------------------------------------------------------------------------+
hollombe@ttidca.TTI.COM (The Polymath) (02/24/89)
In article <14940@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: }I agree that this is a sensitive matter... the *ONLY* time I ever tried }to surpress any Topic of discussion on GEnie was when the discussion of }"Trojan Horses" got too close to discussing ACTUAL methods of destructive }programming.. (the term "virus" hadn't yet entered into things..) }Where do you draw the line...? Are we better prepared if we see what most }destructive programs look like..? Or... can we possibly avoid future }problems by surpressing this information now..? } }I'd like to see the source code for these "viruses", but who's to believe }that *I* won't use them destructively...? A point I haven't seen mentioned in any of these discussions: All of the necessary information for constructing a virus can be found in any advanced text on MS-DOS features and programming. Of course, it isn't all conveniently gathered in a chapter titled "Virus Construction", but the data is there for anyone sufficiently knowledgeable and interested in finding and using it. In light of the above, the idea that you can prevent the spread of viri by not discussing them in public is ludicrous. You can't keep the information out of the hands of the bad guys. The best you can do is inform the good guys and help them devise methods to protect themselves. To develop such methods, you have to know what you're up against. -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax}!ttidca!hollombe
Bob_BobR_Retelle@cup.portal.com (02/24/89)
Frank Rahmani writes: >I want to see the source too. So that I know what hits me in the night. >I'm very shure I wan't use them destructively (except on my own stuff:-). OK, You trust me, and I trust you... what about all those 16 year old hackers out there "in the audience" that we both might not trust..? >Yes, you are better prepared when you know what ALL (not most) viruses >look like. Once you got one, you can easily identify it, write your own >virus-checkers etc. OK, maybe you and I can do this, and write our own "virus checkers" to protect ourselves... But what about the computer "users" like my mother... or the print shop owner I just talked to today, whose hard drive was infested with a "virus" inadvertantly, and whose business was hanging in the balance..? HE was lucky... he knew enough to be able to salvage his disks and HD.. but I seriously doubt he'd have been able to write his own "virus checker".. the customer whose disk had infected his HD certainly didn't, and the print shop owner was up until midnight, trying to "vaccinate" the customer's disks too... I understand what you're saying, and I agree with most of it... but until we can guarantee that what we post here won't harm someone, somewhere, I still think that we should try to refrain from spreading this kind of knowledge... I know that we can't totally "surpress" this kind of information, but maybe we can slow its progress... ? BobR
woodside@ttidca.TTI.COM (George Woodside) (02/24/89)
I promised long ago not to release copies of any virus anyone sent to me.
I still get several requests each month for copies, for all sorts of reasons.
I can understand the curiousity, but you just never know what might happen.
Some of them are not harmful, while others are very dangerous.
I happen to believe that keeping things secret is a good way to leave
users vulnerable, while making the viruses that much more effective. That's
why VKILLER not only detects and kills viruses, but will report on exactly
what any virus it recognizes will do.
It might not be a bad idea to post the characteristics of the viruses
I know about here. Perhaps a series of items, outlining one virus at a
time. I believe that information would be useful to anyone. If you're
not interested, I suggest the "N" key.
Please don't flood me with "Yes, do it" messages. I'll get started this
weekend, and start messages as soon as I can get them prepared at a level
that most people can understand.
Meanwhile, if anyone has turned up any that VKILLER didn't recognize,
forward a copy, and I'll add it to the program, and the notes to go
here. I will not send any copies (of the virus) anywhere else.
--
*George R. Woodside - Citicorp/TTI - Santa Monica, CA
*Path: ..!{philabs|csun|psivax}!ttidca!woodsidegreg@bilbo (Greg Wageman) (02/25/89)
In article <14940@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: >I agree that this is a sensitive matter... the *ONLY* time I ever tried >to surpress any Topic of discussion on GEnie was when the discussion of >"Trojan Horses" got too close to discussing ACTUAL methods of destructive >programming.. (the term "virus" hadn't yet entered into things..) > >I didn't want my Roundtable to be the inspiration for some 16-year old >"hacker" to "make a name for himself" by using the information in a >destructive manner... Viruses and Trojan Horses came into being long before there were computer conferences. The solution to this problem is to educate *everyone* about the nature of the beasts. Keeping thousands of innocent computer users ignorant to prevent giving the information to a handful of jerks who can (and do) get the information elsewhere (sometimes by discovering it themselves) makes little sense. >Where do you draw the line...? Are we better prepared if we see what most >destructive programs look like..? Or... can we possibly avoid future >problems by surpressing this information now..? Suppressing the information??? What makes you think that you have any control of this? The information on how to write a virus is present in any detailed system manual. Any experienced programmed could write a *killer* virus from the information in the Developer's docs. It doesn't always take a statement like "boot sectors make great places to hide viruses" for someone who's mind works that way to see this. The only information you are suppressing is that of how the current crop of viruses work, and therefore the means to stop them. >I'd like to see the source code for these "viruses", but who's to believe >that *I* won't use them destructively...? It isn't necessary to distribute working virus source code to everyone; what is essential is that the method of operation of the virus be thoroughly examined by experienced programmers, and the information disseminated. When the means of transmission and the hiding places are known, it becomes simple to fight the disease. Why not let "some 16-year old 'hacker' ... 'make a name for himself'" by writing an *anti*-viral program? Why do you assume that the information *will* be used for harm? You have a very cynical outlook if that is the case. Is it, perhaps that you are just protecting yourself, and the rest of us be damned? Longish .signature follows. Skip now, or don't complain! Greg Wageman ARPA: greg@sj.ate.slb.com Schlumberger Technologies BIX: gwage 1601 Technology Drive CIS: 74016,352 San Jose, CA 95110-1397 UUCP: ...!uunet!sjsca4!greg (408) 437-5198 ------------------ Opinions expressed herein are solely the responsibility of the author. (And the author wouldn't have it any other way.)
clubok@husc4.HARVARD.EDU (Kenneth Clubok) (02/25/89)
In all of this discussion on proliferating information about viruses, it seems that the proponents of free exchange of information argue that it is impossible to keep the information from those who want to make viruses, while that information may be helpful to prevent their spread. I would contend that neither statement is true. Sure, anyone who is technically minded can find the information in the manuals, but that is still a far cry from actually finding source code listings in a magazine. When source code is distributed, anyone with an assembler can make minor modifications to the code that will make the "mutant" virus undetectible by current virus detection programs. This requires neither very much work nor much understaning of the workings of viruses. Thus, while some people will always be able to make new viruses, it is possible to minimize that by restricting discussion. On the other hand, I seriously doubt that publishing source codes is very useful for preventing the spread of viruses. If a source code is published, then it already has been disassembled and analyzed, and a method of detecting and removing it has been found. All that needs to be spread is that method, or better yet, PD programs to do the job, but not the actual source code for the viruses. In short, I believe that the inevitable proliferation of mutants completely outweighs the minimal advantages of publishing source codes. Best to keep the discussion to how to protect against viruses -- not how to make them. Just thought I'd put my two-cents in. Ken Clubok, Clubok@husc4.bitnet
dean@sun.soe.clarkson.edu (Dean Swan) (02/25/89)
I personally love viruses. For those of us who do consulting on the side
it's nice to have a stupid excuse to make some extra money. The only kind
of virus I can't stomach (Was that a pun?) is those nasty things that like
to do 'wipe-disk' type operations. Not much protection against those things.
Dean Swan
Korex Software Corporation
dean@sun.soe.clarkson.edu
DISCLAIMER: Please don't flood me with e-mail about this. This was intended
as only a half serious, humorous reply. OK? :-)vail@tegra.UUCP (Johnathan Vail) (02/25/89)
I should have written down the particulars.... I was in a local bookstore and there was a *BOOK* on computer viruses. This included chapters on history, types of viruses, different operating systems and included source code in several languages for some viruses. It also had chapters on security viruses and how to prevent and detect viruses. Anyone can buy this book and be dangerous now that the "secret" is out. Having written a couple of viruses myself I found the book informative and useful as far as it went. I even found a few things in it that I hadn't thought of. I guess now we can discuss these things like we are reasonable adults? "The death of God left the angels in a strange position." _____ | | Johnathan Vail | tegra!N1DXG@ulowell.edu |Tegra| (508) 663-7435 | N1DXG @ 145.110-, 444.2+, 448.625- -----
steve@pnet51.cts.com (Steve Yelvington) (02/26/89)
Is it really necessary to cross-post this virus cr*p to four newsgroups, none
of which have ANYTHING to do with viruses or computer security? Please take it
elsewhere.
UUCP: {uunet!rosevax,amdahl!bungia,chinet,killer}!orbit!pnet51!steve
ARPA: crash!orbit!pnet51!steve@nosc.mil
INET: steve@pnet51.cts.com
-----------
-or-
stag!thelake!steve@pwcs.StPaul.GOV
"A member of STdNET -- the ST Developers' Network"jrv@siemens.UUCP (James R Vallino) (02/26/89)
I just came across a notice for a one day conference next month which might be of interest to anyone investigating viruses. Here's some of the details: Second Annual Computer Virus Clinic New York City World Trade Center Wednesday, March 15, 1989 8:45 Continental Breakfast 9:15 Virus Experiences 10:00 Anatomy of a Virus 10:45 Prevention (filtering) 11:30 Detection (monitoring) 12:15 Recovery 1:00 Lunch 2:00 The Experimentalist's View - I 2:45 The Experimentalist's View - II 3:30 Implications 4:15 Prognosis for the Future 5:00 Reception at Windows on the World Cost $225 DPMA, Box 894, New York, NY 10005 (800) 835-2246 ext. 190 -- Jim Vallino Siemens Corporate Research, Princeton, NJ jrv@siemens.siemens.com princeton!siemens!jrv (609) 734-3331
Bob_BobR_Retelle@cup.portal.com (02/27/89)
Responding to various messages about viruses... I agree that knowledge of the *existance* of viruses can be helpful.. I disagree that *specifics* of viruses, either source code, or *descriptions* of how viruses work, can do anything other than guarantee their spread. It's true that the information necessary to create a virus is available, IF you know where to look, and IF you are experienced enough to make use of that information. Those who are advanced enough to do this *may* be responsible enough to avoid using that information harmfully... I agree that there is *no way* to prevent anyone from using information obtained through independant research like this, in a harmful way.. What I don't think is either helpful, or responsible, is to distill that information and make it public, so those who might not otherwise be able to use this *specific* information maliciously can take the work and expand upon it. (Maybe they'll take their anti-social tendencies and do something else, like trying to break into Government computers) I know how an Atom Bomb works.. that knowledge is NOT going to save me if anyone uses one... similarly, knowing the genetic makeup of the AIDS virus won't protect anyone.. Even if my friend the print shop owner had known chapter and verse of how Macintosh viruses work, it STILL wouldn't have prevented his hard drive from being trashed. The number of people who can make use of specific information about computer viruses for *good* purposes is probably quite small, when compared with the potential for abuses. My point is, the average *user* cannot protect himself with knowledge of *how* a virus works.. he needs a *practical application* he can run. In the Atari ST world, we have several good virus killers, notably the work of George Woodside in particular. Knowing *how* a virus works is *not* going to help to use George's program. All it's going to do is to help someone to write a new virus. Far from hurting thousands of computer users by surpressing the *specifics* of viruses, I think they would be FAR MORE at risk if the information is made public. BobR
jwi@lzfme.att.com (Jim Winer @ AT&T, Middletown, NJ) (02/27/89)
In article <1270@husc6.harvard.edu>, clubok@husc4.HARVARD.EDU (Kenneth Clubok) writes: > ...When source code is distributed, > anyone with an assembler can make minor modifications to the code that will > make the "mutant" virus undetectible by current virus detection programs. This > requires neither very much work nor much understaning of the workings of > viruses. Most virus detecting programs work by intercepting writes to the hard disk and by checksumming programs before running them. A small change in a virus is not going to make it invisible to this type of checking. Jim Winer ..!lzfme!jwi I believe in absolute freedom of the press. I believe that freedom of the press is the only protection we have from the abuses of power of the church, from the abuses of power of the state, from the abuses of power of the corporate body, and from the abuses of power of the press itself. Those persons who advocate censorship offend my religion.
saj@chinet.chi.il.us (Stephen Jacobs) (02/28/89)
In general, I agree with the philosophy of publicising the UNIX password encryption algorithm: if it can't be made secure enough to resist a determined attack, publicise it so nobody will have a false sense of security. Likewise the philosophy of having a 'crash' command in the incompatible time sharing system: if there's no challenge in causing mischief, why bother. On the other hand, if George Woodside has to promise absolutely no disclosure in order to get samples of viruses, that's no problem. Whatever it takes to make people feel comfortable. As an aside: judging by recent discussion in news.admin, 90+% of UNIX systems are vulnerable to the mkdir trick. Practically nobody uses it because it's no fun.
laba-2he@e260-1e.berkeley.edu (Oliver Juang) (02/28/89)
What's the big deal about distributing the source code for vires? Compute! publishes an entire book on the subject, with examples. Furthermore anyone with a disassembler can disassemble a virus. Lawrence Y. Chiu; University of Berkeley, CA.
trebor@biar.UUCP (Robert J Woodhead) (03/01/89)
In article <20974@agate.BERKELEY.EDU> laba-2he@e260-1e.berkeley.edu (Oliver Juang) writes: > >What's the big deal about distributing the source code for vires? Compute! >publishes an entire book on the subject, with examples. Furthermore anyone >with a disassembler can disassemble a virus. > >Lawrence Y. Chiu; University of Berkeley, CA. The problem is that with source code, any jerk with MPW who can type can release a mutated version of the virus in an attempt to avoid the current detection programs (futile, we will catch it in a few weeks, but a pain). Whereas to disassemble and modify a virus without the source code takes a fair amount of knowledge and skill. +---------------------------------------------------------------------------+ | Robert J Woodhead !uunet!cornell!biar!trebor CompuServe 72447,37 | | Biar Games, Inc., 10 Spruce Lane, Ithaca NY 14850 607-257-1708,3864(fax) | +---------------------------------------------------------------------------+ | Games written, Viruses killed "I'm the head honcho of this here spread; | | While U Wait. Take a number. I don't need no stinking disclaimers!!!" | +---------------------------------------------------------------------------+
trebor@biar.UUCP (Robert J Woodhead) (03/01/89)
In article <1154@lzfme.att.com> jwi@lzfme.att.com (Jim Winer @ AT&T, Middletown, NJ) writes: >Most virus detecting programs work by intercepting writes to the >hard disk and by checksumming programs before running them. A small >change in a virus is not going to make it invisible to this type of >checking. Correct (sort of) but misleading. Virus detecting inits such as Vaccine work by intercepting certain resource manager calls. Unfortunately, they can get in the way. Checksumming programs is fine, but it involves adding checksums to each application or storing them in a central file; each is vulnerable to viral action. Viruses can be reprogrammed to avoid these. Additionally, when you talk about detect and REPAIR programs, small changes in viruses will make them invisible and/or unrepairable until the program is updated. This is because none of these programs want to take a chance of "repairing" an uninfected version of "Whiz-bang-space-aliens v1.2" just because it looks sort of like it is infected by a virus. We are extremely specific in our check criteria in order to avoid this unfortunate consequence. +---------------------------------------------------------------------------+ | Robert J Woodhead !uunet!cornell!biar!trebor CompuServe 72447,37 | | Biar Games, Inc., 10 Spruce Lane, Ithaca NY 14850 607-257-1708,3864(fax) | +---------------------------------------------------------------------------+ | Games written, Viruses killed "I'm the head honcho of this here spread; | | While U Wait. Take a number. I don't need no stinking disclaimers!!!" | +---------------------------------------------------------------------------+
Bob_BobR_Retelle@cup.portal.com (03/02/89)
Lawrence Y. Chiu writes: >What's the big deal about distributing the source code for vires? Compute! >publishes an entire book on the subject, with examples. Furthermore anyone >with a disassembler can disassemble a virus. I'm sure you know by now just how responsible I think Compute! was in publishing virus source code... The thing about disassembling a virus is that first you need to HAVE an example to disassemble... if the (stereotyped:nasty teenaged hacker with nothing better to do) can't get hold of one to study, maybe he'll go make explosives in his garage with the instructions he downloaded from the local BBS instead... Publishing source code for a computer virus is like handing out plans for zipguns at a racially tense high school... maybe 99% will just look at them and throw them away... then again, maybe they won't... BobR
kerchen@iris.ucdavis.edu (Paul Kerchen) (03/04/89)
In article <15261@cup.portal.com> Bob_BobR_Retelle@cup.portal.com writes: > >The thing about disassembling a virus is that first you need to HAVE an >example to disassemble... if the (stereotyped:nasty teenaged hacker with >nothing better to do) can't get hold of one to study, maybe he'll go make >explosives in his garage with the instructions he downloaded from the >local BBS instead... > I have to disagree. By making this statement, the implication is that viruses are not a problem. If it's *so* difficult to get a virus, then why is everyone up in arms about viruses? If this deranged teenager has access to a BBS, he certainly has access to viruses, since BBS's are prime vectors of infection. Folks will always resist when others put controls on what they can and can not do and putting controls on information is no exception. Trying to stop the flow of virus information is like the war on drugs--if you can't get it here then just walk down the block. The Internet is not the only source of information about anything. If folks can't find what they're looking for here, they'll just go somewhere else. I'd rather not see that happen. Paul Kerchen | kerchen@iris.ucdavis.edu