RISKS@KL.SRI.COM (RISKS FORUM, Peter G. Neumann -- Coordinator) (03/28/88)
RISKS-LIST: RISKS-FORUM Digest Sunday 27 March 1988 Volume 6 : Issue 49
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Risks of loss of privacy from stolen computer (PGN)
Things that go POOF! in the night (PGN)
Virtuous Virus Language (Vin McLellan)
Batch Viruses (Brian M. Clapper)
Atari ST Virus (Chris Allen via Martin Minow)
Rhine floods Communication link; Nightmare Virus Construction Set;
CCC hackers revenge threat (Klaus Brunnstein)
The Anti-Virus Business, or, This Generation's Snake-Oil? (TMP Lee)
[*** I cannot believe how large the backlog is -- and I will be tied up
with meetings all next week. Please be patient, and send only the
REALLY GOOD STUFF. That would help. PGN ***]
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85).
----------------------------------------------------------------------
Date: Fri 25 Mar 88 09:51:03-PST
From: Peter G. Neumann <NEUMANN@csl.sri.com>
Subject: Risks of loss of privacy from stolen computer
A thief made off with a $9,000 computer and printer from an office in Walnut
Creek CA, and discovered that his victim (Beth Savano) was a tax preparer.
In a remarkable display of good will, he returned to her 20 floppy disks
containing 150 tax returns that had been stored on the original hard disks.
However, he kept the original hard disk.
------------------------------
Date: Fri 25 Mar 88 10:01:24-PST
From: Peter G. Neumann <NEUMANN@csl.sri.com>
Subject: Things that go POOF! in the night
The latest technology in check frauds is the use of a chemical that causes
the checks to disintegrate shortly after being deposited. Such checks
have turned up at banks in the Chicago area and in Tennessee, and were
drawn on accounts in California and Tennessee. Typically a new account was
opened, the bogus check was deposited, and then a withdrawal was made before
the bogus check could bounce.
There are of course some comparable techniques in computer systems, using
Trojan horses, time bombs, etc., for data or a program to alter its own state.
------------------------------
Date: Thu 24 Mar 88 03:33:20-EST
From: "Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Subject: Virtuous Virus Language
All of us with a taste for technical history doubtless enjoyed Kevin Driscoll's
charming recollection (Risks 6.48) of a 20 year old memory-crunching parasite
in COMMON code he labelled a virus. What he described, however, sounds like
what the Apple II community in the early '80s widely circulated and described
as "worm" code. The Apple worms, like Dirscoll's code-critter, were simply
memory crunchers who rewrote themselves successively through the memory
(although some had neat graphics of the worm nibbling up the screen and off
into memory.) The Apple worms were, despite an identical name, quite different
from the "worm" created by Huff et al at Xerox Corporation in 1980; and
everything falls far short of the fictional "worm" described by the novelist
John Brunner in a 1975 novel.
Anyone with a report of an virus that was an actual ancestor to Fred Cohen's
1984 creation at USC -- christened "virus" by Ken Adeleman of RSA fame, one of
Cohen's mentors at USC -- could make a welcome addition to the literature by
describing it. (Cohen's creation was first described at a 1985 IFIPS conference
in Toronto.) Several reports of the NSA's reaction to Cohen's paper clearly
indicate that this was a new threat to the Fort Meade spooks who guard the US
government's most secure systems, but there may have been prior art unreported
somewhere.
I haven't yet heard any such tale. I have, however, received many calls from
journalists who have been told by respected computer security mavens that this
is a decades-old problem. A lot of people who should know better seem to
believe, like Driscoll, that any self-replicating program that moves itself to
a new location in memory is a "virus." Obviously few have read Cohen. The
widely-described IBM "virus" in VNET and Bitnet last December was not, for
instance, a "virus."
Let's get it straight, folks! A virus is defined by its capability for epidemic
contagion. It's a parasite program that attaches itself to another program,
effectively turning its victim into a "torjan" which, when executed, seeks out
a particular, targeted, pattern of code in any available potential victims
(programs) to attach a copy of itself ("infect" them) and make them too
"carriers." The virus is merely a medium for contagion; its undeclared mission
or task is in other code piggybacked upon it. (Cohen's formal description also
emphasizes that a virus can be designed to evolve -- change its form or target
-- over generations.)
The damn things are going to be with us for a long time, and it would be nice
not to lose control of the language as we did with "worms." Anyone got any
*relevant* ancient history?
Vin McLellan The Privacy Guild (617) 426-2487
------------------------------
Date: Thu, 24 Mar 88 09:28:05 EST
From: clapper@NADC.ARPA (Brian M. Clapper)
Subject: Batch Viruses
Kevin Driscoll's COMMON Code commentaries in RISKS 6.48 reminded me of
a simple and particularly nasty program I encountered while still in
college. It consisted of 3 lines of FORTRAN:
10 PRINT 1000
GOTO 10
1000 FORMAT ('+', 132*'-')
For those who may not remember, in FORTRAN, a '+' in the first column
is carriage control for an overstrike. This small program continually
overstrikes 132 dashes on a line printer. Needless to say, if it runs
long enough, it can do a fair amount of damage. I was amazed at its
simplicity. I made the mistake of mentioning it to a supposedly
trustworthy fellow student, one who I thought would share my amaze-
ment. He did share the amazement, but he took the matter one step
further: He typed it in, submitted a batch job to run it, and directed
the output to a high-speed line printer. When he specified the printer
id, he made an error, and the output was sent to an unsupervised line
printer in the staff area of the computer center rather than to a
normal, operator-supervised line printer. The job ran for quite
awhile, and caused untold dollars of damage to the printer.
Obviously, there should have been no way for a student to send any job
to an unsupervised line printer. Had he sent it to one of the
standard, operator-supervised line printers, one of the operators would
have killed the job soon after it started printing. (Repeated
overstriking on a high-impact line printer has a very distinct sound.
Further, the operators were known to kill jobs which printed out those
fun computer posters we all liked so much in college.) Still, I
remember thinking at the time that this type of malicious behavior can
be extremely difficult to prevent. Even the CPU-time restrictions
placed on the typical student job were insufficient, since this program
can do quite a bit of harm in a very short time. (And it did.)
As I recall, the student was caught. His punishment was much less
severe than I would have thought. I think he was denied further access
to the computer building for a few months and had his account taken
away. The day after the incident, he told me about it in class. He
was really indignant that the computer center staff had taken away his
account.
Brian M. Clapper, Naval Air Development Center, Warminster, PA
------------------------------
Date: 26 Mar 88 20:48
From: minow%thundr.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922)
Subject: Atari ST Virus
I've attached a long article on an Atari ST virus program, taken from Usenet,
adding a few comments (* in column 1) explaining Atari-specific terms.
Now, all of the popular personal computers have been attacked by viruses.
(It's probably not worth posting as-is to Risks, but you might want to stuff it
in your archives and post a summary.)
Martin.
Newsgroups: comp.sys.atari.st
Path: decwrl!labrea!agate!pasteur!ames!nrl-cmf!mailrus!umix!uunet!mcvax!ukc!reading!onion!minster!SoftEng!john
Subject: The Atari ST `virus'
Posted: 22 Mar 88 15:26:48 GMT
Organization: Department of Computer Science, University of York, England
I'm posting this for someone who does not have Usenet access.
THE ATARI ST VIRUS
==================
This weekend I received a number of pd software disks from a computer store.
I found that three of these contained the 'ST Virus' that has been
mentioned on the net recently. I did not however discover this until it
had trashed one disk and infected a very large number of disks.
I have since disassembled the virus and worked out exactly what it
does and I am posting a summary of what I found here.
What The Virus Does
===================
When the ST is reset or switched on, it reads some information from track 0
sector 0 of the disk in drive A. It is possible to set up that sector so
that the ST will execute its contents. The virus program is written into
this sector so that it is loaded whenever the ST is booted on the offending
disk.
Once loaded into memory the virus locates itself at the end of the
system disk buffer (address contained at 0x4c2 I think) and attaches itself
to the bios getbpb() function.
*
* getbpb() returns the operating system parameter block for a disk device.
*
Every time getbpb() is called, the virus is activated. It tests the
disk to see if it contains the virus. If it doesn't then the virus is
written out to the boot sector and a counter is initialised.
If the disk does contain the virus then the counter is incremented.
Once the counter reaches a certain value, random data is written across the
root directory & fat tables for the disk thus making it unusable. The virus
then removes itself from the boot sector of the damaged disk (destroys the
evidence??).
*
* The "fat table" contains the bitmap of unused sectors.
*
NOTES
=====
Once the virus is installed in the ST it will copy itself to EVERY non write
protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - or open a
window to it from the desktop.
The virus CANNOT copy itself to a write-protected disk.
I *think* (but am not certain) that it survives a reset.
The current virus does not affect hard disks (it uses the flopwr() call).
*
* flopwr() writes a sector on a floppy disk (drives A or B).
*
However, if you are using an auto-boot hard disk such as Supra, and the disk
in drive A contains the virus, THE FLOPPY BOOT SECTOR IS EXECUTED BEFORE THE
HARD DISK BOOT SECTOR and consequently the virus will still be loaded and
transferred to every floppy that you use.
THE CURE
========
To test for the virus, look at sector 0 of a floppy with a disk editor.
If the boot sector is executable then it will contain 60 hex as its first
byte. Note that a number of games have executable boot sectors as part of their
loading. However if this is the case then they should not load when infected
by the virus.
If people are worried about this & haven't been able to get the other killer
(I have not seen it yet) then I will post the source/object for a simple
virus detector/killer that I have written.
OTHER VIRUSES
=============
It would appear that this virus is not the end of the story. I have heard
that there is a new virus around. This one is almost impossible to detect
as for each disk inserted, it scans for any *.prg and appends itself to the
text segment in some way. Thus it is very difficult to tell whether or not
the virus is actually on a disk.....
FINALLY
=======
Use those write-protect tabs!
Check all new disks!
Hopefully we can get rid of this virus totally before it damages something
important.
Chris Allen.
If you want any information, etc etc mail me at:
Janet: CJA1@uk.ac.york.vaxa
uucp: ...!uunet!mcvax!ukc!minster!CJA1@VAXA
arpa: CJA1%vaxa.york.ac.uk@mss.cs.ucl.ac.uk
------------------------------
Date: March 24, 1988
From: Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
Subject: RISK FORUM: 1. Rhine floods Communication link
2. Nightmare Virus Construction Set
3. CCC hackers revenge threat
Organisation: University of Hamburg, FRG, Faculty for Informatics
1. DATEX-P based international computer communication 2 days
out-of-operation due to Rhine flood:
Access from some West German computers to several networks broke down for 2
days when the Rhine river overflooded its banks after heavy rain falls and
sudden snow smelting. The flood damaged the DATEX-P network of German Post
(dbp) at Bonn. According to Hamburg protocols, the central node XPS.GMD.DBP
was unavailable since March 22, 8.55 (first error message, after last
successful transfer on March 21 at 7.10 pm) and the first sucessful transfer on
March 23 at 7.22 pm; officially, the network was declared available on March 24
at 2 am. Most German universities and research institutes use this node
XPS.GMD.DBP (via their connection to GMD's central distribution computer)
exclusively for communication with EDU, COM and other networks. During the
breakdown, only EARN and BITNET communication was available for `some time
period' (duration unspecified). Receipt of RISK-FORUM editions and this message
has also been delayed.
2. `Nightmare Software' and the CeBIT Hannover Fair:
Many discussions at the Hannover Fair, labelled "Center for Bureau and
Information Technologies" (CeBIT), held in Hannover, FR Germany this year on
March 16-23 and said to be the world's largest fair in Information and
Communication Technologies, were about Computer-related Risks. A special
section had been devoted to "Secure Computer Centers", demonstrating building
security measures (TV-cameras, access control with chip cards etc) as well as
some ACF software on PC. Some enterprises and the German computer trader
COMPAREX exhibited `warm' and `cold' backup computer concepts, and some
publications informed on `Vulnerability of Information Economy' (including an
article of this author, in the German edition of `Computerweek', which is
available by e-mail, on demand, to interested people).
After some (often badly informed) articles on `Viruses' in public newsmedia
(where the `Israel Virus' of Hebrew University was reported to spread over
international computer networks), many people share the fear of `computer
illnesses'. One respected German newspaper (FAZ=Frankfurter Allgemeine
Zeitung, which often represents official positions) published in its
CeBIT-report (March 21st, p.17) a contribution on a program, defined as `Virus
Construction Set', named `Nightmare Software', which may be used to construct
as well as to detect and delete viruses. The paper writes:
`People offering the Virus Construction Set are themselves aware that they
`play with the fire'. Program and documentation is only allowed to be given
to people older than 18 years, and any liability is strictly denied. People
buying the software must also know that application of the `Nightmare
Program' is punishable, with up to 5 years in prison. On the other hand, the
software traders hope that the knowledge of the `Virus danger' may prevent
the respective damage.'
Though a growing public awareness about `Vulnerability of Information
Society/Economy' should generally be welcomed, the last paragraph of the
respective article may produce a new mysticism which may even worsen public
awareness. After some sentences on Viruses, their detection and combat
(compared how to fight anthrax), the final paragraph follows:
`Somehow, the use of medical vocabulary in the context of prosaic computer
programs has a `human touch'. The `ordinary citizen' may think that a
computer may become as ill as a living body. Moreover: one can defend oneself
and fight the infection. On the other side one could say that here, Devil is
expelled with Beelzebub.'
After past comparisons of computers and human brain (which is the unfortunate
inheritance of pioneers like Alan Turing and John von Neumann), unadequate
biological analogies (Viruses) may bring up another mysticism which may
prevent rational analysis of risks embedded in elementary computer concepts
as well as in ill-analysed application packages.
3. Revenge Threat of German Hackers:
After the imprisonment of a leading member of Computer Chaos Club (CCC) in
Paris, some German hackers may plan `revenge activities'. `Der SPIEGEL',
often well informed, cites a Munich hacker: `when I become really angry,
nothing may prevent me from heavily confusing their systems' (Der Spiegel,
Nr.12, March 21, p.109-111). It seems wise to accurately monitor the access
patterns of network-accessible installations.
As reported in RISK 6.44, one of the chairmen of (Hamburg-based) CCC, Mr.
Steffen Wernery, has been arrested by French police when arriving at Charles
de Gaulle airport for a discussion with Philips officials and a subsequent
lecture on `the NASA hack' at SECURICOM. In the meantime, the German Criminal
Office (Bundes-Kriminal-Amt, BKA), charged with prosecuting possible German
participants in the invasion of computers at NASA, CERN and Philips France,
said that CCC officials have not participated in the NASA coup. Evidently,
the French police had not been informed about this result.
The work of CCC is heavily influenced by consequences of the arrest,
including heavy differences among CCC officials. Hamburg newspapers report
that all CCC money has been spent in extensive, uncoodinated telephone calls
between Hamburg and Paris. Moreover, the remaining chairpersons denied Mr.
Wernery's wish to sell the story of his arrest for exclusive publication for
a high enough prize to cover his defence expenses: while his approach was
denied by Hamburg CCC managers, financial problems of Mr. Wernery and the CCC
are unsolved.
Klaus Brunnstein, University of Hamburg, Faculty for Informatics
------------------------------
Date: Thu, 24 Mar 88 11:41 EST
From: TMPLee@DOCKMASTER.ARPA
Subject: The Anti-Virus Business, or, This Generation's Snake-Oil?
From the 24 March 1988 Minneapolis Star Tribune, front page of the
business section:
COMPUTER 'VIRUSES' CREATING ENTREPRENEURIAL OPPORTUNITY
Steve Gross [Technology editor]
Computer 'viruses' are creating an opportunity for firms marketing a
remedy in the form of anti-virus software.
A virus is a tiny piece of software designed by a programmer who typically
seeks to damage someone's computer data, usually at some predetermined
future date. Often the virus is planted in free computer programs offered
on national computer bulletin boards available to anyone whose personal
computer can receive data by telephone.
Once the 'infected' program is received from the bulletin board, its virus
begins to replicate itself like a biological virus. Each duplicate virus
infects other programs and data stored on the computer's floppy and hard
disks, erasing all or part of the infected material when the computer's
internal clock reaches the predetermined set-off date. If people have
made back-up copies of their programs and files, those disks also are
infected and will undergo the same disaster when used.
Viruses have gotten a lot of publicity lately. Three weeks ago the New
York Times reported that computer viruses could become "a science-fiction
nightmare come to life" as they move unseen from one personal computer to
another across telephone lines or within office computer networks. In the
past few months, people who run computer bulletin boards, corporations and
even the government of Israel have reported viruses infecting their
software.
"The biggest source (of viruses) has been contaminated files from computer
bulletin boards," said David Buerger, director of the Personal Computer
Center at Santa Clara University in California, in an interview this week.
In addition, some university students "have been infecting software in the
computer labs."
These infections represent "a real opportunity" for companies writing
anti-virus software, Buerger said. While the anti-virus programs can't
eliminate all infections, they can force virus-writers "to be more clever.
They'll have to invest more time and effort.
"It's like locking the car when you park in a high-crime district. It
will stop the kids and the ones who want to take a joy ride. But if it's
a professional thief .. the best system won't keep him out of he car."
Lloyd Tabb, a software writer for Sophco Inc., in Boulder, Colo. said his
firm markets Protec, a $195 virus-detection program that includes features
called Syringe and Canary. Syringe injects a harmless virus into a
program that checks to make sure no harmful viruses are present. Canary
is a program that waits for a virus and stops functioning if it becomes
infected, much like the real canaries carried by old-time miners to warn
them of poisonous gases.
Ron Sturtevant-Stuart, president of Asky, Inc., a software firm in
Milpitas, Calif., said his Softlog program matches the current size of
computer files against their previous size to check for viruses. The
program is licensed to corporations in lots of 100 units for $2,400.
Eric Hansen, a vice president of Fridley-based [a Minneapolis suburb]
Digital Dispatch Inc., has been quoted in the New York Times and computer
industry trade publications as a result of the firm's $199 Data Physician
program, which detects and in some cases eliminates viruses.
Hansen said viruses have been talked about for years, but are becoming a
problem now because "there are a lot more personal computers out there.
As more computers move into more people's hands, more persons of evil
intent are going to have computer skills. It really only takes one person
nationwide writing one of these things and plunking it up on a bulletin
board to cause enormous havoc."
The Data Physician program, which has been marketed for three years, makes
careful measurements of a computer's programs and data files to detect any
"alien" computer codes, he said. One portion of the program, called Data
MD, creates a list of computer data files to be protected, and watches
them while the computer is in operation. Another part called Antigen
attaches itself to an individual computer program and checks it for
viruses each time it is used. To remove a virus, Antigen erases the bytes
of computer data that weren't in a program earlier, he said. A third
portion of the program, called Padlock, prevents anything from being
written on a storage disk unless the computer operator pushes a button to
give permission.
However, Hansen said, "there is a way around absolutely everything."
Viruses can be tailored to escape detection by specific anti-virus
program's he said. To prevent that, "you have to continually change your
product so a virus can't go after it." His firm is already trying to
develop a foolproof version of Data Physician that couldn't be disabled by
a virus before the program had a chance to act, he said.
However, anti-virus software makers have one advantage in the war with
virus inventors: viruses can't be made too complicated.
For example, a virus that could evade several types of anti-virus programs
would have to consist of a longer and more elaborate piece of computer
code than a non-evasive virus, Hansen said. But, he added, "if you put
enough intelligence into a virus to beat every protection scheme, it will
get too fat and slow and be detected."
------------------------------
End of RISKS-FORUM Digest
************************
-------