osmigo@ut-emx.UUCP (10/08/88)
I've spent the last 3 months without a hard disk. The reason? Catastrophic failure. Inability to reformat, etc. This ordeal included shipping the device to Wisconsin (I'm in Texas) *4 times* to get it repaired. Recently, however, I learned the cause of the problem: SCORES infection. The reason it wouldn't reformat (normally a sure indication of a hardware problem) was, of course, that the formatter itself was infected. When I booted up the "repaired" hard disk, it seemed to work fine, until after I ran an application. Then things started crashing again. The infected application had wrecked the device's new System. Well, enough of the sob story. The second thing I wanted to point out in this post is that apparently a System can be fully infected WITHOUT showing the symptoms on the desktop. Those symptoms are, as you know, "blank document" ScrapBook and NotePad icons, and two invisibles files called "Desktop" and "Scores." I just finished examining a System Folder on a floppy I had lying around; it looked clean as a whistle. Upon opening it with ResEdit, though, I found ALL(?) of the resources created in a SCORES infection: DATA ID -4001, atpl ID 128, and INIT's 6, 10, and 17. This was a supposedly unaltered copy of 6.0/4.2. I booted up under that System about 10 times, and ran a number of applications under it as well, trying to get something to happen. No luck. The applications weren't infected, nor did the telltale signs appear in the System Folder. The SCORES-installed resources WERE, however, detected by the program "KillScores 1.0." From reading the available documentation, I had the impression that those System Folder additions ALWAYS occured as a result of infection. Not true? Or, perhaps SCORES has some kind of delayed-action mechanism, where the resources sit idle until Event X, then create the files. I understand that the FBI knows who created this unseen horror. If so, whatever happened to him? If he's been arrested and they're trying to decide what to do with the bastard, I have some good ideas. Words cannot describe what I've been through. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ >--Ron Morgan--------------{ames, utah-cs, uunet}!ut-sally!ut-emx!osmigo-------< >--Univ. of Texas--{gatech, harvard, pyramid, sequent}!ut-sally!ut-emx!osmigo--< >--Austin, Texas--------osmigo@ut-emx.UUCP-------osmigo@emx.utexas.edu---------< =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
shap@polya.Stanford.EDU (Jonathan S. Shapiro) (10/10/88)
Can anyone tell me where I can get a copy of KillScores 1.0?
jln@eecs.nwu.edu (John Norstad) (10/11/88)
> I've spent the last 3 months without a hard disk. The reason? Catastrophic > failure. Inability to reformat, etc. This ordeal included shipping the device > to Wisconsin (I'm in Texas) *4 times* to get it repaired. Recently, however, > I learned the cause of the problem: SCORES infection. The reason it wouldn't > reformat (normally a sure indication of a hardware problem) was, of course, > that the formatter itself was infected. When I booted up the "repaired" > hard disk, it seemed to work fine, until after I ran an application. Then > things started crashing again. The infected application had wrecked the device's > new System. Well, enough of the sob story. This is indeed a horrible story, and I sympathize with your plight. When Scores first appeared I studied it, figured out how it worked, and posted some notes on what I'd discovered. I find several of your remarks quite puzzling. I don't understand why you formatter wouldn't work, even though it was infected with Scores. Most applicatations continue to work fine when they're infected. One possibility is if the formatter has a gap of size one in the numbering of its CODE resources. For example, if the CODE resources were numbered 1,2,3,5,6,7,... In this example there's a gap of size 1 at resource number 4, and Scores would try to add a new CODE segment number 5. This screws up the application so that it most likely will bomb on launch. KillScores can disinfect such an application, but Ferret doesn't even think it's infected. I also don't understand why your "repaired" hard disk worked fine until you ran an infected application. Systems usually continue to work properly after they become infected. This may be some sort of conflict between your hard disk driver and Scores. > The second thing I wanted to point out in this post is that apparently a > System can be fully infected WITHOUT showing the symptoms on the desktop. > Those symptoms are, as you know, "blank document" ScrapBook and NotePad icons, > and two invisibles files called "Desktop" and "Scores." I just finished > examining a System Folder on a floppy I had lying around; it looked clean as > a whistle. Upon opening it with ResEdit, though, I found ALL(?) of the resources > created in a SCORES infection: DATA ID -4001, atpl ID 128, and INIT's 6, 10, > and 17. This was a supposedly unaltered copy of 6.0/4.2. I've noticed this too, especially on floppies. Sometimes only part of the viral resources are installed. In all the cases I've come across it's because the disk becomes full. Scores installs its viral resources in the following order: System file Scores file NotePad file Scrapbook file Desktop file In your case your floppy probably became full after the five viral resources were installed on your system file. Scores continued to try to infect the other four files, but nothing happened because the floppy was full. > I booted up under that System about 10 times, and ran a number of applications > under it as well, trying to get something to happen. No luck. The applications > weren't infected, nor did the telltale signs appear in the System > Folder. The SCORES-installed resources WERE, however, detected by the program > "KillScores 1.0." Scores does not begin to spread until two days after the system is infected. In addition, due to what appears to be a bug in Scores, each time an infected application is run during that two day dormant period, the system is infected AGAIN and the timer is RESET. Thus you have to actually a) run an infected application, and b) NOT run an infected application for another two days, before it begins to spread. This may be what happened to you. > From reading the available documentation, I had the impression that those > System Folder additions ALWAYS occured as a result of infection. Not true? > Or, perhaps SCORES has some kind of delayed-action mechanism, where the > resources sit idle until Event X, then create the files. Scores does have delayed-action mechanisms, but not in this case. It tries to create all of the system folder viral stuff when an infected application is launched. As I mentioned above, what probably happened to you was that your floppy became full. > I understand that the FBI knows who created this unseen horror. If so, whatever > happened to him? If he's been arrested and they're trying to decide what > to do with the bastard, I have some good ideas. Words cannot describe what > I've been through. >--Ron Morgan Why hasn't this criminal been arrested and prosecuted? Scores has spread very widely and is still spreading, and has caused great damage. We recently experienced a small infection in our labs and on our servers here at Northwestern, and it cost at least 50-60 man hours to examine and disinfect everything in sight. In your case you lost three months! Multiply that by the number of infections around the world, and there must have been many tens of thousands of man hours lost because of this plague. John Norstad Academic Computing and Network Services Northwestern University Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU
osmigo@ut-emx.UUCP (10/11/88)
In article <10330053@eecs.nwu.edu> jln@eecs.nwu.edu (John Norstad) writes: > I find several of your remarks >quite puzzling. > >I don't understand why you formatter wouldn't work, even though it was >infected with Scores. According to the documentation that came with KillScores, it can cause applications to crash or do strange things. I had several applications that bombed mercilessly until I disinfected them, then they worked perfectly. The formatter was no exception. I should point out here, BTW, that the hard disk's manufacturer spent a WEEK testing the device, and found nothing wrong with it. It reformatted and worked flawlessly on their bench. Their software, of course, wasn't infected. So, they sent it back. Then we went through the same thing AGAIN. >I also don't understand why your "repaired" hard disk worked fine until >you ran an infected application. Systems usually continue to work properly ^^^^^^^ Apparently "usually" is the correct word. >In your case your floppy probably became full after the five viral resources >were installed on your system file. Scores continued to try to infect >the other four files, but nothing happened because the floppy was full. No, the floppy isn't full. Has about 45K left. Also, and correct me if I'm wrong, but Scores doesn't simply "infect" the other four files (desktop, notepad, scrapbook). It *creates* them. They will be present in an infected System Folder even if they (spec. Scrapbook and Notepad) were previously removed from the System. >> I understand that the FBI knows who created this unseen horror. >> If so, whatever happened to him? >Why hasn't this criminal been arrested and prosecuted? Can anybody answer this? Perhaps it's a question of proof. How can one *prove* that the virus caused a program with 400,000 bytes of code to crash, short of hiring a team of programmers to spend 10 years going through the code word-by-word and figuring it out? And yes, you're right. Scores is still very much alive and spreading. I've already met two other people with infected systems composed of large hard drives and dozens of infected applications. Both of them are very active in downloading/uploading applications to and from BBS's. There's no question in my mind that ANY application that isn't shrink-wrapped when you get it should be considered dangerous. Just think of the damage *one* single infected application on a BBS or public database (Genie, comp.sys.mac, et. al.) could do over time. Keep in mind that we're talking about a virus that will actually search out applications to infect, even if they aren't run. If you've ever seen your infected disk drive start spinning for no reason, that's the Scores virus on a "hunting trip." Who knows, unless Apple builds a virus-guard/killer into its ROM or System files, Scores will probably be with us for a long, long time. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ >--Ron Morgan--------------{ames, utah-cs, uunet}!ut-sally!ut-emx!osmigo-------< >--Univ. of Texas--{gatech, harvard, pyramid, sequent}!ut-sally!ut-emx!osmigo--< >--Austin, Texas--------osmigo@ut-emx.UUCP-------osmigo@emx.utexas.edu---------< =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Jim_Harvey@mailcom.UUCP (Jim Harvey) (10/11/88)
I've written an application to remove the SCORES virus from infected applications (it's nowhere near as good as others around any more.) I can say with certainty from disassembling the virus and understanding every single line of its object code, that infected applications can be 100% brought back to their original state, uninfected and functional. The problem with reinfection is probably applications being launched from a floppy that hasn't been cleaned out. Run KillScores, Ferret, Virus RX from Apple, and any other anti-viral utility, on all of your floppies. Now you're clean.... Next, get Vaccine from CE Software. It's available on most commercial services including Compuserve, and on plenty of private services. Vaccine will warn you RIGHT AWAY if Scores is trying to infect your system. You're all set-- unless you bought programs from EDS Data Systems. SCORES deliberately damages applications with creator types from EDS. --- * Origin: MailCom INTERNET: f444.n204.z1.Fidonet.org Palo Alto (415) 855-9548 (Opus 1:204/444) SEEN-BY: 203/34 204/444 -- INTERNET: f444.n204.z1.Fidonet.org UUCP: sun!sunncal!mailcom
jln@eecs.nwu.edu (John Norstad) (10/12/88)
>According to the documentation that came with KillScores, it can cause >applications to crash or do strange things. I had several applications >that bombed mercilessly until I disinfected them, then they worked perfectly. >The formatter was no exception. Yes, Scores can cause applications to crash or do strange things. In my earlier reply I pointed out one case - code segment gaps of size 1. For example, some versions of Red Ryder and Stuffit have this property. If your formatter wouldn't run at all (crashed immediately on launch) I'd suspect this gap problem. Scores also uses memory, so applications that need lots of memory might not work properly on infected systems. >>I also don't understand why your "repaired" hard disk worked fine until >>you ran an infected application. Systems usually continue to work properly > ^^^^^^^ >Apparently "usually" is the correct word. Your case is the first I've heard of a system that won't function at all when infected. As I said before, I suspect a conflict between Scores and your disk driver. For example, they might both be trying to use the same unit table entry. What kind of drive are you using? >>In your case your floppy probably became full after the five viral resources >>were installed on your system file. Scores continued to try to infect >>the other four files, but nothing happened because the floppy was full. > >No, the floppy isn't full. Has about 45K left. Also, and correct me if I'm >wrong, but Scores doesn't simply "infect" the other four files (desktop, >notepad, scrapbook). It *creates* them. They will be present in an infected >System Folder even if they (spec. Scrapbook and Notepad) were previously >removed from the System. You're correct - the Desktop, Scores, Notepad, and Scrapbook files are all created if they don't already exist. I am quite mystified as to why Scores didn't create them in your case if your floppy wasn't full. >Perhaps it's a question of proof. How can one >*prove* that the virus caused a program with 400,000 bytes of code to crash, >short of hiring a team of programmers to spend 10 years going through the >code word-by-word and figuring it out? I have gone through Scores in great detail. I've examined every single line of code and figured out what it does. It contains roughly 2,500 machine language instructions. This took about two weeks of very hard work. Of course, I didn't have access to source code. I had to use a dissassembly listing and reverse-engineer the beast. Every significant fact I discovered by exmining the code was verified by testing on an infected system, using a debugger, ResEdit, and other programming tools. The only things that Scores does ON PURPOSE are spread itself and attack VULT and ERIC. Many people, however, have noticed undesirable behaviour on infected systems, including problems printing and problems with MacDraw and Excel. I suspect memory problems in these cases, although I'm not sure. I haven't been able to duplicate them on my systems. I've found a number of bugs and what look like oversights in Scores, but none of them seem to be really serious. Of course, it's very possible, indeed likely, that I've overlooked something. Scores is very complicated, and there are many ways in which it can interact in strange ways with other applications and system software. I'm still discovering new things about it. Your problem is definitely the worst one I've heard about. In the case of a specific program that bombs repeatedly on an infected system, it shouldn't be terribly difficult to discover why, provided source code is available for the program in question, and provided the investigators are experienced Mac programmers with a thorough knowledge of the virus in question. It might not be easy, but it should be doable in a reasonable amount of time. The fact that a virus does not contain any specific damaging attacks on other applications or system software does not make it harmless, as we've all discovered in the case of Scores. The mere fact that they occupy disk space and memory makes them dangerous. Scores only contains specific attacks against VULT and ERIC, which were never released to the general public, but it is still a monster that has caused great damage. I certainly hope that any future anti-virus legislation will not make deliberate attacks a requirement for successful prosecution. Any self-replicating code distributed without the knowledge and consent of the users should be illegal. >Keep in mind that we're talking about a virus that will actually >search out applications to infect, even if they aren't run. If you've ever >seen your infected disk drive start spinning for no reason, that's the Scores >virus on a "hunting trip." This is false. Scores only infects applications that are actually run. The infection occurs between 2 and 3 minutes after the application is launched. When you hear the disk whir at an odd time it is Scores infecting the current application. Scores does not go on any "hunting trips". >And yes, you're right. Scores is still very much alive and spreading. It can't hurt to once again very strongly recommend that Mac users obtain and install the Vaccine CDEV. It is effective against Scores. If you try to run an infected application on an uninfected, vaccinated system your machine will bomb, and your system will not be infected. When this happens you should use Virus Rx, Interferon, or some other virus detection tool to investigate the suspected application. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
riley@beowulf.ucsd.edu (Christian Riley) (10/12/88)
It turns out, I also had a Scores Infection. Several weeks ago, I went to get version 1.2 of Hypercard since I hadn't gotten around to getting the update yet. Well, it was on the Mac //s hard disk at the store and when I copied Hypdercard off, that disk got infected. After copying Hypercard to my hard disk, I didn't use it much. Then last weekend, I noticed a lot of bombs and applications not being able to find files (ie Red Ryder not finding RRJ$ at startup etc) and found I was infected. Normally I have Vaccine on, but I had it off because I was doing a little programming. I believe that now I have gotten rid of it, but it did make me waste quite a bit of time. Chris "We must control men in order to force them to be free." Chris Riley riley@cs.ucsd.edu
osmigo@ut-emx.UUCP (10/12/88)
In article <10330055@eecs.nwu.edu> jln@eecs.nwu.edu (John Norstad) writes: > >Yes, Scores can cause applications to crash or do strange things. In my >earlier reply I pointed out one case - code segment gaps of size 1. My hard disk drive is a Mirror Magnet 40X. It uses a Seagate ST-251 with the Adaptec card. The Mirror formatter has CODE's 0,1,2,3, and 4. That's about all I can tell you! >Your case is the first I've heard of a system that won't function at all >when infected. It might have been Finder. According to the documentation I've read, Scores "likes" to infect Finder, and Finder WAS infected. > It contains roughly 2,500 machine >language instructions. This took about two weeks of very hard work. > I had to use a >dissassembly listing and reverse-engineer the beast. Every significant >fact I discovered by exmining the code was verified by testing on an >infected system, using a debugger, ResEdit, and other programming tools. We need more guys like you!!! (-8 > including problems printing and problems with MacDraw Yes, there were a number of occasions when I'd try to print out a document (From Draw, MacWrite, WriteNow and others) and would get, say, 3 lines of garbage per page. >sure. I haven't been able to duplicate them on my systems. According to what I've read, the effects of Scores can vary from machine to machine. It'll infect one application on my machine, and leave it untouched on your machine. >>Keep in mind that we're talking about a virus that will actually >>search out applications to infect, even if they aren't run. If you've ever >>seen your infected disk drive start spinning for no reason, that's the Scores >>virus on a "hunting trip." > >This is false. Scores only infects applications that are actually run. >Scores does not go on any "hunting trips." This is in direct contradiction to the documentation that came with KillScores 1.0. The literature was written by Howard Upchurch, and says [quote]: "As the infected disk is used, the virus continually seeks uncon- taminated applications. The present thought is that it searches in a random fashion at an interval of 3 1/2 minutes...after a long enough period of time, every application on the disk will be infected, apparently whether it has been used or not." On another page, he says: "...an application does not have to have been run for it to be contaminated."If you are saying you've found contradictory information, could you please say so explicitly? I have one more question for you, since you obviously know more about this than I do. Would the problems caused by Scores appear the FIRST time a "clean" application is run? I noted that when I ran Yeager Advanced Flight Trainer (a known clean copy) on my infected system, it failed to work the very first time, saying the application file was busy or damaged. Many, many thanks for your words on this matter.
jln@eecs.nwu.edu (John Norstad) (10/12/88)
>>Your case is the first I've heard of a system that won't function at all >>when infected. > >It might have been Finder. According to the documentation I've read, Scores >"likes" to infect Finder, and Finder WAS infected. Yes, Finder almost always gets infected, but this doesn't usually cause any problems. >>>Keep in mind that we're talking about a virus that will actually >>>search out applications to infect, even if they aren't run. If you've ever >>>seen your infected disk drive start spinning for no reason, that's the Scores >>>virus on a "hunting trip." >> >>This is false. Scores only infects applications that are actually run. >>Scores does not go on any "hunting trips." > >This is in direct contradiction to the documentation that came with >KillScores 1.0. The literature was written by Howard Upchurch, and >says [quote]: > > "As the infected disk is used, the virus continually seeks uncon- > taminated applications. The present thought is that it searches > in a random fashion at an interval of 3 1/2 minutes...after a > long enough period of time, every application on the disk will > be infected, apparently whether it has been used or not." > >On another page, he says: > > "...an application does not have to have been run for it > to be contaminated."If you are saying you've found contradictory > information, could you please say so explicitly? Howard wrote this before I had disassembled and figured out Scores in detail. He made a reasonable educated guess based on observing the behaviour of infected systems, but he was wrong. This is only one of many incorrect rumors that have been spread about Scores. Another one that won't seem to die is that Scores contains some sort of special code designed to fool ResEdit. This is not true. Yes, you can disinfect your system file with ResEdit, rerun ResEdit, and discover that your system file is still infected. All this means is that ResEdit itself was infected, and it reinfected your system the second time you launched it. There's no magic here. >I have one more question for you, since you obviously know more about this >than I do. Would the problems caused by Scores appear the FIRST time a >"clean" application is run? I noted that when I ran Yeager Advanced Flight >Trainer (a known clean copy) on my infected system, it failed to work the >very first time, saying the application file was busy or damaged. Sorry, I don't really have any ideas. It could be almost anything, and I'd have to see it first hand to figure out what's happening. I obviously don't know everything, since I can't explain most of the problems you've experienced. I wish I knew what was going on. >Many, many thanks for your words on this matter. You are welcome. I hope I've helped. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
jln@eecs.nwu.edu (John Norstad) (10/13/88)
Jim Harvey writes: >Run KillScores, Ferret, Virus RX from Apple, and any other anti-viral >utility, on all of your floppies. Now you're clean.... Virus Rx from Apple will detect the Scores virus, but not get rid of it. Ferret has a number of serious bugs, and in some cases will leave your system infected, as I reported in a posting to comp.sys.mac on 5/2/88. I recommend KillScores. >Vaccine will warn you RIGHT AWAY if Scores is trying to infect your >system. Vaccine will try to warn you by putting up a dialog box. Unfortunately, at the time Scores tries to infect your system the dialog manager is not yet initialized, so Vaccine bombs. Your system is protected (not infected), but the only warning you get is the system error alert. >You're all set-- unless you bought programs from EDS Data Systems. >SCORES deliberately damages applications with creator types from EDS. According to magazine articles (see InfoWorld and MacWeek in particular), the programs in question (VULT and ERIC) were never released or sold to the general public. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
jln@eecs.nwu.edu (John Norstad) (10/13/88)
Robert Dorsett writes to Jim Harvey: >I, for one, would be very interested in seeing a disassembly of the virus. >Could you post it to the net or comp.sources.mac (if it's still around)? NO, NO, NO!!!! Please don't post disassemblies or sources for viruses!!! This has happened in the past, and the result has been a flurry of new viruses based on the one posted. This is absolutely the worst thing that you could do! Those of us doing research on viruses must very carefully consider the consequences of all our public actions. I feel that it's OK to tell people what damage a virus does, how to detect it, and how to get rid of it. This is being socially responsible, and provides a needed service. But it's incredibly irresponsible to tell people how they work or how to write one! John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
rmf1992@uxf.cso.uiuc.edu (10/14/88)
>/* Written 5:15 pm Oct 12, 1988 by mentat@juniper.uucp in uxf.cso.uiuc.edu:comp.sys.mac */ >In article <70.23534FAB@mailcom.UUCP> Jim_Harvey@mailcom.UUCP (Jim Harvey) writes: >>I've written an application to remove the SCORES virus from infected >>applications (it's nowhere near as good as others around any more.) I >>can say with certainty from disassembling the virus and understanding >>every single line of its object code, that infected applications can be >>100% brought back to their original state, uninfected and functional. > >I, for one, would be very interested in seeing a disassembly of the virus. >Could you post it to the net or comp.sources.mac (if it's still around)? > > >-- >Robert Dorsett University of Texas at Austin > >UUCP: {ames,utah-cs,rutgers}!cs.utexas.edu!ut-emx!juniper!mentat > mentat@juniper.UUCP >/* End of text from uxf.cso.uiuc.edu:comp.sys.mac */ Not to pick on Robert Dorsett, because I also would be interested in seeing a disassembly of SCORES. I think it would be VERY DANGEROUS. There are probably a very large number of people out there who are legitmately curious about how a virus works in practice, not just in thoery. But then again there are always the few; think about the person(s) who wrote SCORES, they designed it to target EDS applications. That took a good working knoweldge of the Mac, and a good healthy does of grade school morality. Posting a disassembly would only encourage the more mediorcre programmers to write a virus. Mabey, to make a name for him/herself, but probably for the thrill of it and mabey in a more destructive manor. (for the thrill of it Diet Coke :-)). Bob Frank - struggling undergrad @ UofIllinois rmf1992@uxf.cso.uiuc.edu
gld@zippy.eecs.umich.edu (Greg L. Dykema) (10/14/88)
In article <10330059@eecs.nwu.edu>, jln@eecs.nwu.edu (John Norstad) writes: > NO, NO, NO!!!! Please don't post disassemblies or sources for viruses!!! > > Those of us doing research on viruses must very carefully consider the > consequences of all our public actions. I feel that it's OK to tell > people what damage a virus does, how to detect it, and how to get rid of it. > This is being socially responsible, and provides a needed service. But it's > incredibly irresponsible to tell people how they work or how to write one! > > John Norstad > Academic Computing and Network Services > Northwestern University > > Bitnet: jln@nuacc > Internet: jln@nuacc.acns.nwu.edu This is one way of looking at the question of whether or not to publicize virus code and exact descriptions of virus operation. The other option is to release all the information anyone can find on viruses to everyone. The reasoning behind the former is that you hope to limit the number of people who have the desire and/or knowledge to write a virus--if someone didn't know what a virus is, they may not think of the possibility on their own, and without explicit examples, they may not know how to write one. The first "hope" is useless--many people know what a virus is and basically what it does. The second is not much good either--viruses are not hard to write and any decent programmer with the desire can write one. The only thing you avoid is handing someone "ready-made trouble" and perhaps giving someone the ability to distribute a virus if they did not have the necessary skills already. But we have lost something too. We have lost a free exchange of information, admittedly information that could help or hurt. But I believe that the "additional" damage releasing virus source code might do is not worth the loss of information, information necessary if one is to understand the possible threat of viruses (and specific viruses in the case of publishing specific source code) and to defend against them. What gives anyone the right to decide in whose hands this "priviledged information" will lie? In any event, I believe that the question of whether not to publish virus source code does NOT have a clear answer! Greg Dykema
jln@eecs.nwu.edu (John Norstad) (10/14/88)
Robert Dorsett of the University of Texas at Austin and Greg Dykema of the University of Michigan both disagree with my opinion that we shouldn't post disassemblies or sources for viruses. Dykema says: >In any event, I believe that the question of whether not to publish virus >source code does NOT have a clear answer! I agree. When I had figured out how Scores worked in April and began to prepare my original posting to comp.sys.mac I had to very seriously consider this issue. It was definitely not easy deciding how much to reveal about the internal details of Scores. My final decision was to tell what Scores does to your system, how to detect it, and how to get rid of it. This does involve revealing some of the internal technical details. Most of the many people who corresponded with me about my postings agreed with my policy. But at least one very knowledgable person felt I was actually doing harm by posting at all! He felt that those of us who know about viruses should just keep quite in the hope that the virus-writing "fad" will die a natural death. He found my posting much too technical and thought it gave too much help to potential virus writers. I disagree with this person, but it shows that there's a whole spectrum of opinion on this issue. I guess I'm a "moderate". Dykema also says: >...viruses are not >hard to write and any decent programmer with the desire can write one. >The only thing you avoid is handing someone "ready-made trouble" and >perhaps giving someone the ability to distribute a virus if they did >not have the necessary skills already. Robert Dorsett says: >Denying public knowledge of viruses does *not* protect against them, mere- >ly guarantees that attack strategies remain unknown. >... >I'm willing to >bet that we will *not* be subject to "a flurry of new viruses" if source is >posted. Viruses are not hard to write, but they're not easy to write either. It does take quite a bit of work, knowledge, and time to write a virus from scratch on the Mac. It's hard enough so that only somebody with quite a bit of free time and a very strong desire is going to write one. But almost anybody can quite easily hack together a variant of an existing virus given source code. This has already happened in the Mac world with the nVIR virus. A German programmer posted source code on CompuServe, and several mutations of nVIR appeared. (Disclaimer: I have no first-hand knowledge of this, and I haven't seen his posting. I've just read about the incident. I'm an expert on Scores, but not on nVIR.) It seems very clear to me that posting sources for viruses is asking for trouble. Denying public knowlege of the nitty-gritty technical details does help to protect against them. This is the main argument in favor of my position. Dorsett writes: >Understanding a virus is essential to combatting it, even from the user >level. Even now, months, presumably, after SCORES has been disassembled by >certain users on the net, we still have people running around like chickens >with their heads cut off, with nary a clue as to how it propagates itself, >afraid to run software "sanitised" by killscores, "reverse engineering" the >viruses from the user level, etc. I think that to at LEAST provide a clear >description of how it works is to benefit the community at large. Understanding what a virus does to your system, how to detect it, and how to get rid of it are essential to combatting it. Understanding the complete technical details of how it works internally is helpful but not essential. I've tried to provide clear descriptions of the technical information that people need to combat Scores, and it has been a great help to many, many people. But I refuse to reveal internal details that are not critically relevant to this goal. You are absolutely correct that a great deal of erroneous information has been spread about Scores. Even now magazine articles and network postings are more often than not inaccurate. This is unfortunate, but probably unavoidable. I've done everything in my power to dispel rumors and give accurate information, and the situation has improved somewhat, but the rumors still persist. Dykema writes: >But we have lost something too. We have lost a free exchange of information, >admittedly information that could help or hurt. But I believe that the >"additional" damage releasing virus source code might do is not worth >the loss of information, information necessary if one is to understand the >possible threat of viruses (and specific viruses in the case of publishing >specific source code) and to defend against them. This argument is very strong and well-stated. I think that Dykema has stated the main argument against my position. I too believe in the enormous value of the free exchange of information. For example, I long for the "good old days" when operating systems and major applications were distributed with source code. I learned how to program by studying those sources. Can you imagine how much better programmers we'd all be if we had source for the ROM? The current almost universal distribution of programs without source code is tremendously harmful. The problem in a nutshell is to balance the danger of showing hackers how to write destructive code against the benefits of the free exchange of information. Dykema argues for free exchange. But after extremely careful consideration I have decided that the very real threat posed by these extraordinarily dangerous viruses is more important. This is sad but true. Dykema again: >What gives anyone the >right to decide in whose hands this "priviledged information" will lie? Another very telling argument. Viruses are being written, and we need a community of virus fighters working together to combat the plague. But if the members of this community can't exchange information freely, how can they work effectively? Who decides who gets to be a member of the club? For example, all of my work has been done in almost complete isolation, with no help from others. I am not a member of the "club", if one exists. I know that there are other Mac programmers out there working on the same problems, but for the most part we don't communicate or share our work. I admit that I have no good answer to this question. On a different topic, Dorsett writes: >I view "virus killers" as almost as serious a threat as the virus >they are alleged to combat. The fact that none of these killers are distrib- >uted in source form only adds to my reluctance to use them. I tend to agree. Virus fighting software should be distributed with source code. My colleague Albert Lunde has written a program VCheck, and he distributes it with source code. I can think of an exception, and that is CE Software's Vaccine. If source code were available it might make it too easy for virus writers to figure out ways to get around Vaccine's protection. I'd like to thank both Dorsett and Dykema for posting their excellent notes. This is a topic that needs discussion. I disagree with them, but I acknowledge and respect their opinions. It is indeed a very difficult problem. Finally, I'd like to remind readers of this thread that I posted three notes on Scores to comp.sys.mac last spring, on 4/18, 4/25, and 5/2. They contain lots of useful, accurate information on Scores, but they won't teach you how to write a Mac virus. You may have missed them. Anybody who would like copies should feel free to send me a note at the address below. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
osmigo@ut-emx.UUCP (10/15/88)
[Deleted positions on posting source to SCORES] I hope we're not belaboring the point here, but I agree that the source to SCORES should NOT be posted ANYWHERE. My reasons: 1. It isn't necessary to have a "flurry of new viruses" to warrant keeping it off the lines. We only need consider the widespread misery that can be caused by ONE virus. Look at the recent post by the user who was infected at a university computer lab. Does anyone care to guess how many people will ultimately be infected by that ONE SINGLE COPY of that ONE virus? 2. I believe there is such a thing as "need to know." Good grief, keeping source code off the net isn't the same thing as a Nazi book-burning. Otherwise, we might as well applaud posts on how to manufacture explosives in your kitchen, or synthesize LSD. 3. I feel I can safely hypothesize that viruses will become more durable and pervasive over time. Each new virus, as it is ana- lyzed and as software is written to kill it, also gives would-be virus-writers a free lesson in "what not to do." Let's also keep in mind that SCORES is small-time, compared to some of the more sophisticated virii that have been written to attack mainframes and the like. The "next" generation of virii will certainly not have any "giveaways" such as the blank-document Scrapbook/Note- pad icons. It might quietly jump from application to application, skipping the System file. It might have a delayed-effect of MONTHS instead of SCORE's two days. It could target specific applications, such as backup software, for self-destruction next time they are run, instead of infecting "everything." How would you like to erase your hard disk, then find that your backup has turned into ASCII salad? 4. Correct me if I'm wrong (I'm not a programmer), but I think most people capable of analyzing a virus's source code would also be capable of writing their OWN virus-killers. We know what SCORES writes onto its targets; it would be a simple matter for a programmer to write an application to search for those strings and destroy them, if he's afraid to use the available anti-virus tools. I'm *still* dying to know what happened to the person that wrote SCORES, since his identity is reportedly known. *Surely* he was fired from his job, for example. Oh well, smile, have a nice day, and all that.....(-8 Ron =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ >--Ron Morgan--------------{ames, utah-cs, uunet}!ut-sally!ut-emx!osmigo-------< >--Univ. of Texas--{gatech, harvard, pyramid, sequent}!ut-sally!ut-emx!osmigo--< >--Austin, Texas--------osmigo@ut-emx.UUCP-------osmigo@emx.utexas.edu---------< =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
mha@batcomputer.tn.cornell.edu (Mark H. Anbinder) (10/17/88)
In article <1255@zippy.eecs.umich.edu> gld@zippy.eecs.umich.edu (Greg L. Dykema) writes: <In article <10330059@eecs.nwu.edu>, jln@eecs.nwu.edu (John Norstad) writes: <> NO, NO, NO!!!! Please don't post disassemblies or sources for viruses!!! <> <> John Norstad <> Academic Computing and Network Services <> Northwestern University < <This is one way of looking at the question of whether or not to publicize <virus code and exact descriptions of virus operation. The other option <is to release all the information anyone can find on viruses to everyone. <The reasoning behind the former is that you hope to limit the number of <people who have the desire and/or knowledge to write a virus... < <But we have lost something too. We have lost a free exchange of information, <admittedly information that could help or hurt. But I believe that the <"additional" damage releasing virus source code might do is not worth <the loss of information, information necessary if one is to understand the <possible threat of viruses (and specific viruses in the case of publishing <specific source code) and to defend against them. What gives anyone the <right to decide in whose hands this "priviledged information" will lie? < <In any event, I believe that the question of whether not to publish virus <source code does NOT have a clear answer! < <Greg Dykema I have to agree with John here. Releasing source code or exact descriptions of what viruses do is tantamount to giving every half-competent programmer in the world the ability to create a virus quickly and easily. Something like the Scores virus does enough damage the way it is. It doesn't do anything actively except replicate itself, but its presense and its reproductive activities cause enough problems. Imagine if someone with the least bit of programming skill got hold of a source copy and added a teensy little routine to erase a desktop file or write over the boot blocks of a hard disk? Having the source code of a virus at hand would also help give someone the knowledge necessary to circumvent all of the antivirus programs created to date. As Vaccine's author has said, the last thing we want is to fuel an ongoing escalation whereby viruses get too smart for the antivirus programs, which are then updated to take care of those viruses, which are then made smarter, leading to... In any case, no one need decide in whose hands this 'privileged information' should lie. Anyone with the ability to decompile a virus can look at it. If you don't happen to have access to a virus to do this, DON'T COMPLAIN. You've been lucky. And no, I won't send you a copy of a virus, either. This isn't suppressing information, it's just refraining from publishing it. I'm terrified that someone is going to get their hands on a virus' source code and write the first virus that will REALLY be designed for damage. It won't be a pretty sight. -- Mark H. Anbinder ** MHA@TCGould.tn.cornell.edu NG33 MVR Hall, Media Services Dept. ** THCY@CRNLVAX5.BITNET Cornell University H: (607) 257-7587 ******** Ithaca, NY 14853 W: (607) 255-1566 ******* Ego ipse custodies custudio
rmf1992@uxf.cso.uiuc.edu (10/17/88)
There is an article in the November MacWorld that suggests that the SCORES virus was written by a disgruntled programmer, "SCORES was apperently written to target two of EDS's (Electronic Data Systems) in-house programs that bear the ERIC and VULT identifiers." And, after NASA got infected the FBI was called in to investigate. Unfortunately, the article never says that the SCORES autor was caught, prosocuted, and convcted. Probably this was because they lacked enough substantial evidence. Bob Frank - undergrad @ UofIllinois rmf1992@uxf.cso.uiuc.edu
Mark_Peter_Cookson@cup.portal.com (10/18/88)
I have a question. Is KillScores supposed to have a "nVIR" resource in it? I looked at it and this just didn't seem quite right, but since I have two independant copies and they both have them in there the only thing I can think of is that KillScores it trying to fool the real nVIR into not infecting the system with a dummy nVIR (I heard this could be done). Is this true, or am I just lucky I have yet to run this puppy? Mark Cookson
jln@eecs.nwu.edu (John Norstad) (10/19/88)
Mark Cookson writes: >Is KillScores supposed to have a "nVIR" resource in it? >I looked at it and this just didn't seem quite right, but since I have two >independant copies and they both have them in there the only thing I can think >of is that KillScores it trying to fool the real nVIR into not infecting the >system with a dummy nVIR (I heard this could be done). Is this true, or am >I just lucky I have yet to run this puppy? My copy of KillScores contains no nVIR resources. Your copy is either infected, or as you guessed, somebody added them in an attempt to prevent infection by nVIR. I wouldn't run them until and unless you find out what's going on. If you could tell us the IDs and sizes of the nVIR resources we might be able to give you more information. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu