dont@xios.XIOS.UUCP (Don Taylor) (03/17/88)
There has been much talk of virus programs lately. Recently somebody posted the advice that s/he would only aquire binaries from a known source, presumably a software manufacturer, that 'free' software without sources is just too risky to use. I thought at the time that this made (a sad sort of) sense, but an article in this morning's Toronto Globe and Mail has started me thinking that ANY sort of binary is a risk. Apparantly, a Montreal magazine (MacMag) released a virus that simply (we hope) displayed a pop-up message of peace. This virus has travelled the world and infected many sites, including a system at Aldus Corp. It has appeared in software sold by Aldus. This is really scary stuff. If this had been a malicious virus, then Aldus would have distributed it on to their customers. How can we be protected against this? Can software manufacturers be held responsible for the 'cleanliness' of their distributions? If my disk gets wiped by a virus distributed with a piece of software that I have paid hundreds of dollars for, then I am going to want somebody's head, and I am sure that I would not be alone. My confidence in the big manufacturers quality control on this sort of thing is pretty low since the day I did a 'strings' on MS Word (version 2 I think) and I saw a chilling message that said something to the effect: 'the fruits of evil are bitter, wiping your hard disk now...'. Bill Gates was questioned about this at the time and claimed that MS did not authorize the insertion of this message, that it was done by a co-op student whose intentions were good, but misguided. Apparantly, this message would be triggered if a copied version of Word is used without the key disk that was required at that time. It did not actually wipe your hard disk, just scare you a little. What bothered me most at the time was that MS let something like this slip by them, this was something that could have been caught by simply reading the code. How much more likely is it that somebody will let a much more difficult to spot virus through? Shudder... I think that this stuff is really serious. Unless some sort of protection against these viruses (virii?) can be devised, then I can't see how public domain and shareware software can continue. I feel that it is now just a matter of time before a major software manufacturer re-distributes a deadly virus with their software with widespread disastrous consequences. Even if the manufacturer could not be held legally liable for the consequences of its negligence, then surely it would go out of business through lack of consumer confidence. Finally, let us not forget that PC software is used in many applications besides the office (clinical, manufacturing, ...). I sure hope that someone can give me some good reasons for not being so pessimistic about this issue. Don. PS. I just heard about a virus generator called OSIRIS. (Cute etymology). Now you don't have to be even moderately competent technically to create and distribute a new virus, anybody with a PC and a modem can start an infection. I should be interested to hear anything about this program. I should like to have my hands around the neck of jerk who wrote it... -- Don Taylor ...!uunet!mnetor!dciem!nrcaer!xios!dont 54, Chimo Drive, Kanata, Ontario, Canada, K2L 1Y9 (613-) 592-3894
kotlas@ecsvax.UUCP (Carolyn M. Kotlas) (03/24/88)
In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes:> > > My confidence in the big manufacturers > quality control on this sort of thing is pretty low since the day I did > a 'strings' on MS Word (version 2 I think) and I saw a chilling message > that said something to the effect: 'the fruits of evil are bitter, wiping > your hard disk now...'. Bill Gates was questioned about this at the time > and claimed that MS did not authorize the insertion of this message, that > it was done by a co-op student whose intentions were good, but misguided. This isn't the only instance of little messages being sprinkled in Microsoft products. I was shown a recent one at a demo of MS Bookshelf last week. There is a part of the package that contains a list of wordprocessors and versions that can be selected to use along with this reference tool. After a long list of various versions of MS Word, the non-Microsoft wordprocessors are listed and in parentheses next to WordPerfect is a exclamation of dismay (OH NO, I think it was). I guess the developers thought this was a clever way to take a shot at their competition, but it struck me as less than professional, and I can't help wondering what other little gems are secreted in their software and under what circumstances they'll pop up on the user. -- Carolyn Kotlas (kotlas@ecsvax.UUCP or kotlas@ecsvax.BITNET) UNC-Educational Computing Service P. O. Box 12035 2 Davis Drive Research Triangle Park, NC 27709 State Courier #315 919/549-0671
tneff@atpal.UUCP (Tom Neff) (03/25/88)
How do we protect ourselves against viruses? [1] PHYSICALLY limit access to the computer, where practicable. Don't let the kids play on it. Don't let your secretary's PC "guru" friend come in and "optimize" her system without your prior approval and direct oversight. Don't let your employees bring in their favorite utilities and editors and chess games and whatnot "from home" or "from the club" and install them on the company's computer. These things may sound like a severe case of "oh, you're no fun anymore," but you do not want to have to explain to the board of directors that you lost a month's worth of revenues because your girlfriend likes to play Asteroids. [2] BACK UP your damn system! Regularly, fully, with verify turned on. I ought to be able to walk into your office with a 15-pound sledge hammer, reduce your workstation to smoldering ruins with a few mighty swings, and cost you no more than a day's work as a result. You know this; everybody knows it. Most people observe it in the breach. 'Nuff said. [3] RUN HIGH TECH vaccines, trojan finders and bug sniffers if you want, but don't rely on them. They will fail you when you need them, I guarantee you. Use this rule of thumb: If your electronic guard dogs successfully detect one virus a month, you will probably be safe for a FQ at a time. If you never see any viruses at all, WATCH OUT because you have *no* idea whether you even *can* detect them! "All quiet" is not reassuring in this game. [4] PLAY WITH YOUR CALENDAR when you install a new package. The MacMag virus, and presumably others written or as yet unwritten, wait for some indeterminate expiration date before they pounce. The easiest, cheapest way to predict whether your current software set will still be running normally next November is to fool your computer into thinking it IS November for a while! There are several loopholes in this approach, but it is still worth trying. One of the high tech sniffers that doesnt exist yet, but should (I hope someone writes it), would change your computer's clock tick rate so that time "flashes by" radically quickly! Let your PC or Mac sit there and experience a year's worth of "time" a la H.G.Wells, while you watch. If there is a time bomb buries inside, it may well go off on cue. These are a few thoughts. Others include avoiding self-extracting archives (pace Phil K.) and README.COM type things - use LIST and ARCE, much safer. I welcome other suggestions. TMN -- Tom Neff
tada@athena.mit.edu (Michael Zehr) (03/25/88)
In article <500@xios.XIOS.UUCP> dont@xios.XIOS.UUCP (Don Taylor) writes: > > ["hacks" by programmers slipping through] >How >much more likely is it that somebody will let a much more difficult to spot >virus through? Shudder... > There's a (nameless) company which produced a custom hardware/software combination for application development. They had a high turn over rate among their staff, who were mostly college students. Some of them must have had a strange sense of humor, because the error messages had a lot of hacks in them. For example: You deserve to lose, because you did _____ [followed by system crash] or, (and this appeared once during a client demo) File system all f***ed up. When one of them was found and a complaint sent, the company would eventually track it down and fix it. (Says something about their design that they didn't have an easy to look at list of all error messages...) The units would crash frequently, and I wonder of some of the crashes were due to a virus an employee put in as a hack... ------- michael j zehr "My opinions are my own ... as is my spelling."
hawkins@bnrmtv.UUCP (Peter Hawkins) (03/25/88)
In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes: [deleted stuff] > I thought at the time that this made (a sad sort of) sense, but an > article in this morning's Toronto Globe and Mail has started me thinking > that ANY sort of binary is a risk. Apparantly, a Montreal magazine (MacMag) > released a virus that simply (we hope) displayed a pop-up message of peace. > This virus has travelled the world and infected many sites, including a > system at Aldus Corp. It has appeared in software sold by Aldus. This is > really scary stuff. If this had been a malicious virus, then Aldus would > have distributed it on to their customers. [deleted stuff] > quality control on this sort of thing is pretty low since the day I did > a 'strings' on MS Word (version 2 I think) and I saw a chilling message > that said something to the effect: 'the fruits of evil are bitter, wiping > your hard disk now...'. Bill Gates was questioned about this at the time > and claimed that MS did not authorize the insertion of this message, that > it was done by a co-op student whose intentions were good, but misguided. > Apparantly, this message would be triggered if a copied version of Word > is used without the key disk that was required at that time. It did not > actually wipe your hard disk, just scare you a little. What bothered me [deleted stuff] > I sure hope that someone can give me some good reasons for not being > so pessimistic about this issue. [deleted stuff] > PS. I just heard about a virus generator called OSIRIS. (Cute etymology). > Now you don't have to be even moderately competent technically to create > and distribute a new virus, anybody with a PC and a modem can start an > infection. I should be interested to hear anything about this program. I > should like to have my hands around the neck of jerk who wrote it... Wow!! All this talk about software viruses... I'm not quite sure just what the definition of virus is in this context. Obviously, it has a negative effect that is spread from one computer to another, but what I don't understand is by what means it is spread. The talk about trojan horse programs and things like what you discussed with MS Word sound like either just bugs in the software or in the case of the MS Word thing (if it were actually carried out) as being a *very* stupid way of trying to punish *assumed* pirates (I say assumed because many people try installing their software a little different than the manual suggests in order to suit their needs or disk organization better). On the other hand though, it sounds kind of like you are talking about some code that causes some sort of damage (or peace message in the case you mentioned) that mysteriously works itself into other programs and accross phone lines on it's own. I can not concieve of this being possible. Please, this topic sounds very interesting, describe a "virus" in more detail. Pete ...hplabs!bnrmtv!hawkins until April 8th ...csun!polyslo!phawkin after April 8th
nelson@sun.soe.clarkson.edu (Russ Nelson) (03/25/88)
In article <4811@ecsvax.UUCP> kotlas@ecsvax.UUCP (Carolyn M. Kotlas) writes: >In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes:> >> [I did ] a 'strings' on MS Word (version 2 I think) and I saw a chilling >> message that said something to the effect: 'the fruits of evil are bitter, >> wiping your hard disk now...'. >This isn't the only instance of little messages being sprinkled in >Microsoft products. I saw a message that went approximately like this in a Microsoft program that I disassembled. The message would appear if you invoked the program with an (undocumented) /M switch. Unfortunately, I cannot locate the program again. Maybe it was the mouse driver, maybe it was recover. Chris Peters worked on the new dos. Microsoft rules ok! I hope you're embarrassed about this now, Chris... -- -russ AT&T: (315)268-6591 BITNET: NELSON@CLUTX Internet: nelson@clutx.clarkson.edu GEnie: BH01 Compu$erve: 70441,205
roy@phri.UUCP (Roy Smith) (03/25/88)
In article <622@sun.soe.clarkson.edu> nelson@sun.soe.clarkson.edu.UUCP (Russ Nelson) writes: > The message would appear if you invoked the program with an (undocumented) > /M switch. Anybody remember "values of B will give rise to dom!"? -- Roy Smith, {allegra,cmcl2,philabs}!phri!roy System Administrator, Public Health Research Institute 455 First Avenue, New York, NY 10016
cramer@optilink.UUCP (Clayton Cramer) (03/26/88)
> In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes:> > > > > My confidence in the big manufacturers > > quality control on this sort of thing is pretty low since the day I did > > a 'strings' on MS Word (version 2 I think) and I saw a chilling message > > that said something to the effect: 'the fruits of evil are bitter, wiping > > your hard disk now...'. Bill Gates was questioned about this at the time > > and claimed that MS did not authorize the insertion of this message, that > > it was done by a co-op student whose intentions were good, but misguided. > > This isn't the only instance of little messages being sprinkled in > Microsoft products. I was shown a recent one at a demo of MS Bookshelf > last week. There is a part of the package that contains a list of > wordprocessors and versions that can be selected to use along with this > reference tool. After a long list of various versions of MS Word, the > non-Microsoft wordprocessors are listed and in parentheses next to > WordPerfect is a exclamation of dismay (OH NO, I think it was). I guess > the developers thought this was a clever way to take a shot at their > competition, but it struck me as less than professional, and I can't > help wondering what other little gems are secreted in their software and > under what circumstances they'll pop up on the user. > -- > Carolyn Kotlas (kotlas@ecsvax.UUCP or kotlas@ecsvax.BITNET) I guess I must just be unprofessional and immature. Unlike the message, "wiping your hard disk now...", this comment about WordPerfect isn't going to cause anyone to wonder what the software is doing -- and I've read FAR too many humorless manuals. See the original Epson MX-80 manual written by Dr. David Lien (sp?) for an example of how effective humor is in making a technical reference readable. Clayton E. Cramer
dag@chinet.UUCP (Daniel A. Glasser) (03/26/88)
In article <622@sun.soe.clarkson.edu> nelson@sun.soe.clarkson.edu.UUCP (Russ Nelson) writes: +In article <4811@ecsvax.UUCP> kotlas@ecsvax.UUCP (Carolyn M. Kotlas) writes: ++In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes:> +++ [I did ] a 'strings' on MS Word (version 2 I think) and I saw a chilling +++ message that said something to the effect: 'the fruits of evil are bitter, +++ wiping your hard disk now...'. ++This isn't the only instance of little messages being sprinkled in ++Microsoft products. + +I saw a message that went approximately like this in a Microsoft program +that I disassembled. The message would appear if you invoked the program +with an (undocumented) /M switch. Unfortunately, I cannot locate the +program again. Maybe it was the mouse driver, maybe it was recover. +Chris Peters worked on the new dos. Microsoft rules ok! Back when I worked as a basic programmer for OSI (Ohio Scientific Instruments) there was what we called a 'germ' in the PROMs for the Challenger 2P. This particular 'germ' would, apparently randomly, hang up the system with some cute message. I don't remember what the message was, but BOY was it annoying. I don't know if this germ was in the ROMs that got shipped to customers. (OSI used MS 8 K basic!) I remember hearing about a secret screen hidden in some version of MAC or Lisa ROMs, that was there as an easy way for the insiders to tell if someone had cloned their ROMs. These are not viruses any more than the messages in expensive software packages as they do not self propogate. With the exception of the problem on the OSI C2P's, none are destructive. The most virus-like thing I've ever heard of acutally built into a 'commercial' software release is the login/cc hack in which cc would recognize that it was compiling login and include code that would allow the author to log in (as root, I believe) on the system without the root password, and would recognize that it was compiling a new version of cc, and insert the code to recognize itself and login, so the sources to cc and login did not contain the security holes, just the binaries. This was done, so the story goes, as a demonstration by the author of the hack (was it dmr, kt or bk?) of how easy it was to get around the security in UNIX, and not intended to be distributed, but a few unix tapes were shipped with compilers infected with the virus. The entire story may be apocriphal, but I heard it from a good source. -- Daniel A. Glasser dag@chinet.UUCP One of those things that goes "BUMP!!! (ouch!)" in the night. ...!att-ih!chinet!dag | ...!ihnp4!mwc!dag | ...!ihnp4!mwc!gorgon!dag
brianb@bucsb.UUCP (Brian Bresnahan) (03/26/88)
In article <500@xios.XIOS.UUCP> dont@xios.XIOS.UUCP (Don Taylor) writes: I have seen several message asking what a virus is, so I will attempt to describe it: A virus is a self propagating program, that as part of its execution, it places a copy of itself somewhere. The virus type that we are discusing here are frequenlty attached to part of the operating system or placed on the boot sector of a disk. The act of booting the machine or acessing a disk will spread the virus, it will spread very rapidly through a set of disks. These programs have varied effects some of them damage the drive information. Some just display messages, some of the more complex ones use time bombs so the virus will spread as far as possible before it goes off. > >[text deleted] >I thought at the time that this made (a sad sort of) sense, but an >article in this morning's Toronto Globe and Mail has started me thinking >that ANY sort of binary is a risk. Apparantly, a Montreal magazine (MacMag) >released a virus that simply (we hope) displayed a pop-up message of peace. >This virus has travelled the world and infected many sites, including a >system at Aldus Corp. It has appeared in software sold by Aldus. This is >really scary stuff. If this had been a malicious virus, then Aldus would >have distributed it on to their customers. > There is no reason why this won't happen more often in the future also, there are some very inidious creations out there and one day a deadly virus may get on the disks for a major software release. An update disk would be most dangerous as it woul propagate much faster. It may show itself in the stores with a new product. >How can we be protected against this? Can software manufacturers be held >responsible for the 'cleanliness' of their distributions? If my disk gets >wiped by a virus distributed with a piece of software that I have paid >hundreds of dollars for, then I am going to want somebody's head, and >I am sure that I would not be alone. My confidence in the big manufacturers >quality control on this sort of thing is pretty low since the day I did >a 'strings' on MS Word (version 2 I think) and I saw a chilling message >that said something to the effect: 'the fruits of evil are bitter, wiping >your hard disk now...'. Bill Gates was questioned about this at the time >and claimed that MS did not authorize the insertion of this message, that >it was done by a co-op student whose intentions were good, but misguided. >Apparantly, this message would be triggered if a copied version of Word >is used without the key disk that was required at that time. It did not >actually wipe your hard disk, just scare you a little. What bothered me >most at the time was that MS let something like this slip by them, this >was something that could have been caught by simply reading the code. How >much more likely is it that somebody will let a much more difficult to spot >virus through? Shudder... > Remember when Ashton-tate threatend to use the worm protection scheme with dBase III, this woul have been wonderful, a glitch on your boot disk and all your data would have been erased,but public relation made them decide against it. One of the problems is that the virus may have been introduced at the production stage and this would be tough to trace liability here. Also current PC software is mostly distributed with 'as is' licenses, that a program works properly is not guaranteed so where would virus invasion fall into that area. What kind of damages could you get even if you won? >Don Taylor ...!uunet!mnetor!dciem!nrcaer!xios!dont > >54, Chimo Drive, >Kanata, >Ontario, >Canada, K2L 1Y9 > >(613-) 592-3894 __________________________ Brian Bresnahan brianb@bucsb.bu.edu
friedl@vsi.UUCP (Stephen J. Friedl) (03/26/88)
Many ask about detecting a virus in production software: I'm the
last guy to be an expert on this but it strikes me that if (say)
Aldus ships off some disks to a production house, they should
take a sample disk from the run and compare it with trusted,
known binaries. Differences should be investigated. If the
production house itself is doing this kind of thing then they
will ship a "clean" copy for infection but perhaps Aldus or
whoever should just get a copy from a random distributor once
in a while. This might also serve a general-purpose quality
control function for the entire package: are manuals neat, are
disks readable, is packaging clear, etc.
--
Steve Friedl V-Systems, Inc. *Hi Mom*
friedl@vsi.com {uunet,attmail,ihnp4}!vsi!friedlesj@beach.cis.ufl.edu (Eric S. Johnson) (03/27/88)
Many folks have asked: "what to do about viruses?". Well, there is a
simple solution, and it becomes more practical every day.
Dont use systems without hardware memory access/device protection.
(supported by the OS of course) The key to all the "popular" viruses
seems to be that any program running has full control of the entire
machine. Bad stuff here. Im kinda surprised that this kind of abuse
did not show up earlier.
Hardware/OS protection is (and never will be) the perfect solution,
but it will stop the simple virus. And none of the viruses I have seen
have been anything more then simple hacks taking advantage of lame
hardware/software problems.
--
In Real Life: Internet: esj@beach.cis.ufl.edu
Eric S. Johnson II UUCP: ...{codas|gatech}!uflorida!beach.cis.ufl.edu!esj
University of Florida Think of it as entropy in action :-)jra@jc3b21.UUCP (Jay R. Ashworth) (03/29/88)
From article <4123@chinet.UUCP>, by dag@chinet.UUCP (Daniel A. Glasser): } In article <622@sun.soe.clarkson.edu> nelson@sun.soe.clarkson.edu.UUCP (Russ Nelson) writes: } +In article <4811@ecsvax.UUCP> kotlas@ecsvax.UUCP (Carolyn M. Kotlas) writes: } ++In article <500@xios.XIOS.UUCP>, dont@xios.XIOS.UUCP (Don Taylor) writes:> } +++ [I did ] a 'strings' on MS Word (version 2 I think) and I saw a chilling } +++ message that said something to the effect: 'the fruits of evil are bitter, } +++ wiping your hard disk now...'. } ++This isn't the only instance of little messages being sprinkled in [ lots of neato stuff deleted here to save bits... ] } The most virus-like thing I've ever heard of acutally built into a } 'commercial' software release is the login/cc hack in which cc would } recognize that it was compiling login and include code that would } allow the author to log in (as root, I believe) on the system without } the root password, and would recognize that it was compiling a new } version of cc, and insert the code to recognize itself and login, so } the sources to cc and login did not contain the security holes, just } the binaries. This was done, so the story goes, as a demonstration } by the author of the hack (was it dmr, kt or bk?) of how easy it was It was Ken. } to get around the security in UNIX, and not intended to be distributed, } but a few unix tapes were shipped with compilers infected with the } virus. The entire story may be apocriphal, but I heard it from a } good source. So did I. Hugh Downs, to be exact. Yes, that Hugh Downs. On the ABC Radio Network program "Perspective", where, incidentally, he described UNIX as an "industry-standard" operating system. (Hence the cross-post.) } -- } Daniel A. Glasser dag@chinet.UUCP -- Jay R. Ashworth ---+-- Suncoast Television Productions--+ ...!uunet!codas! 10974 111th St. N. | producers of Suncoast Magazine | !usfvax2!jc3b21!jra Seminole FL 34648 +------------------------------------------------+--------- (813) 397-1859 ----+-- Premiering on Vision Cable Ch. 24 in May ----+ :-) !$
Robert_Bruce_Ferrell@cup.portal.com (04/01/88)
No doubt in my mind that a software distributor would be liable... it's against federal law to deliberatly destroy data not your own. ===================== but then again; what do I know ;-}
james@bigtex.uucp (James Van Artsdalen) (04/04/88)
IN article <4240@cup.portal.com>, Robert_Bruce_Ferrell@cup.portal.com wrote: > No doubt in my mind that a software distributor would be liable... it's > against federal law to deliberatly destroy data not your own. You would also bear civil liability under Product Liability law. It would identical to Product Tampering cases, where the burden of proof is on the manufacturer (one of those guilty-until-proven-innocent things). The distributors and stores selling the product also have liability. -- James R. Van Artsdalen ...!uunet!utastro!bigtex!james "Live Free or Die" Home: 512-346-2444 Work: 328-0282; 110 Wild Basin Rd. Ste #230, Austin TX 78746