ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) (01/21/90)
A couple of days ago, Woody posted a message to comp.viruses about the
worrying possibilities of postscript viruses. His points were that
these would be easy to write, and to incorporate into eexec blocks for
downloading to printers. Once there, they could trash a file system,
and do all sorts of damage.
Well, folks. I cannot speak for anyone else, but if you want an
intelligent discussion it is far better to keep it OUT of comp.viruses -
it is a newsgroup whose paranoia and noise level exceeds even the
*.politics newsgroups. This discussion definately belongs here.
Over a couple of days, I have been investigating the possibility of a
postscript virus. For the record, I would define a virus as something
that has the following characteristics:
1. It is a program that is able to stay hidden from the user,
and also be activated without user intevention. The program
should not use enough resources for the user to notice,
and should be transparent until phase 3.
2. It should be capable of replicating itself so that it can
spread from application to application, and/or machine to
machine.
3. It should do SOMETHING. This action may simple announce
the viruses existence, or extend to physical damage of
the hardware.
Examples of viruses on the PC are the Jerusalem strains, and one the
Amiga the SCA viruses. I have nothing to do with Macs, so cannot
provide any examples there (sorry).
I would define a trojan horse as a program that masquerades as a useful
program and which - when run - does damage. The PC has had an excellent
example of a trojan with the AIDS Disks.
If implimenting a virus, it is important that at least the first two
stages (infection and distribution) are performed. Stage three is
optional, though the mentality of most of the documented virus writers
would not tolerate such anonymity.
A postscript virus would be very difficult if not impossible to write.
Let me detail the reasons why.
1. Postscript has no standardised mechanism for transfering data back
to its host, and in the rare occasions that a data transfer does
happen it is usually answers to queries by the host. For a virus
(say written into a font - as Woody's original posting suggested)
to actually spread to another printer it would have to either:
(a) Somehow get the modified code back to the host and saved as
the new font file, or
(b) Be part of an original distribution. In this case it would
be a trojan rather than a virus.
(c) To exist on the host as a self-modifying program. I can
see no use whatsoever for self-modifying Postscript.
2. To really do damage, it would have to access the undocumented
contents of the internal dictionary, or access the hardware
directly. Both are non-standard, would need a great amount
of code and intimate knowledge of internal details to do this
trick. Woody mentioned scrambling the file system, which he
said is not difficult. This is about all that I can think a
virus/trojan could do.
3. This point is going to seem a little ridiculous, but bear with
me. Virus writer are usually frustrated, immature men in their
late teens or early twenties. They are often quite competent
programmers, but are extremely unprofessional and usually
incapable of writing code that would be accepted in a commercial
environment. It has been speculated that their vandalistic
desires are actually attempts at gaining self-estemme that they
lack. They are almost always lacking in resources, most with
systems barely adequate for the task of writing any application.
It is MOST UNLIKELY that they would have access to a Postscript
printer, and also most unlikely that they could adapt their
programming "styles" to Postscript's device independence.
I am losing no sleep over the thought of a Postscript virus (I am losing
sleep over this posting!) I can see no way for such a program to
spread, and little possibility of it doing damage once it was installed.
The only reasonable system that I can invisage is that of a trojan
supplied from a major manufacturer with one very disgruntled
ex-employee.
So, Woody. I don't think that this is likely, but it was an interesting
thought. If any other participants in comp.lang.postscript wish to post
their thoughts on this matter, I would be most interested to read them.
However, let me say one thing. The majority of net users are sensible
people who appreciate the dangers of viruses and trojans, but
there are two types of readers that may cause trouble.
1. The user who does not recognise their own limitations and
who may be tempted to try something stupid ("I wonder
exactly what this filesystem scrambling program does when
I run it...." - though if anyone is that stupid then
perhaps we should let them :-))
2. The virus writers. They are unlikely, but always bear them
in mind.
So, be as general as possible, and DON'T POST ANY SOURCES!
So fellow Postscribes, if you get a sample font disk from a Panamanian
company called PC Cyborg, regard with with great suspicion....
All hail Saint Fubar, parton saint of computer programmers.
+-----------------------------------+-------------------------------+
| Ian Farquhar | Phone : (02) 805-7420 (STD) |
| Microcomputer Support | (612) 805-7420 (ISD) |
| Office of Computing Services | Fax : (02) 805-7433 (STD) |
| Macquarie University NSW 2109 | (612) 805-7433 (ISD) |
| Australia | Also : 805-7205 |
+-----------------------------------+-------------------------------+
| ACSNet ifarqhar@macuni.mqcc.mq.oz |
| ifarqhar@mqccsuna.mqcc.mq.oz |
+-------------------------------------------------------------------+
Dwoody@rpp386.cactus.org (Woodrow Baker) (01/22/90)
In article <139@macuni.mqcc.mq.oz>, ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) writes: > A couple of days ago, Woody posted a message to comp.viruses about the > worrying possibilities of postscript viruses. His points were that > these would be easy to write, and to incorporate into eexec blocks for > downloading to printers. Once there, they could trash a file system, > and do all sorts of damage. > > Well, folks. I cannot speak for anyone else, but if you want an > intelligent discussion it is far better to keep it OUT of comp.viruses - > it is a newsgroup whose paranoia and noise level exceeds even the > *.politics newsgroups. This discussion definately belongs here. I quite agree, but decided that the topic would create another flurry of postings, and more people would gripe about it. I thus posted it to the virus group rather than the ps group. I have given some thought to the topic also, and have come up with some further conclusions. > > Over a couple of days, I have been investigating the possibility of a > postscript virus. For the record, I would define a virus as something > that has the following characteristics: > Very good definition of a virus [text deleted] > 1. It is a program that is able to stay hidden from the user, > 2. It should be capable of replicating itself so that it can > 3. It should do SOMETHING. This action may simple announce > I would define a trojan horse as a program that masquerades as a useful > program and which - when run - does damage. The PC has had an excellent > If implimenting a virus, it is important that at least the first two > stages (infection and distribution) are performed. Stage three is > > A postscript virus would be very difficult if not impossible to write. > Let me detail the reasons why. > > 1. Postscript has no standardised mechanism for transfering data back > to its host, and in the rare occasions that a data transfer does > happen it is usually answers to queries by the host. For a virus > to actually spread to another printer it would have to either: > > (a) Somehow get the modified code back to the host and saved as > the new font file, or > > (b) Be part of an original distribution. In this case it would > be a trojan rather than a virus. > > (c) To exist on the host as a self-modifying program. I can > see no use whatsoever for self-modifying Postscript. Or be turned lose in the form of a public domain font, or be spread by pirating a font. True, it would be difficult to cause it to spread from machine to machine, but it certainly could infect other fonts on the same disk, so at least stage 1 and possible stage 2 could happen. Note (b) above is correct, but I think that the definition of trojan goes a bit further. I don't want to carry this group off into viruses, and trojans. point c is well taken, though I would say that I can see no use for a virus either, but self modificati > > 2. To really do damage, it would have to access the undocumented > contents of the internal dictionary, or access the hardware > of code and intimate knowledge of internal details to do this > trick. Woody mentioned scrambling the file system, which he > said is not difficult. This is about all that I can think a > virus/trojan could do. I think I'll have to disagree here. You have provisions for reading and writing a file. You can open files, and close them. The file names and directory names are documented, ergo, you can trash files without *ANY* arcane knowlege of the printer. > > They are often quite competent > programmers, but are extremely unprofessional and usually They have to be, in order to write a virus > incapable of writing code that would be accepted in a commercial > environment. It has been speculated that their vandalistic > desires are actually attempts at gaining self-estemme that they > lack. They are almost always lacking in resources, most with > systems barely adequate for the task of writing any application. > It is MOST UNLIKELY that they would have access to a Postscript > printer, and also most unlikely that they could adapt their > programming "styles" to Postscript's device independence. Again, I'll disagree. With the proliferation of PS printers in general, both clones, and the Adobe article, almost anyone in a university enviorment, or even in a normal enviornment can access a laser printer that runs PS. True, disk based printers are not common at this time, but that certainly will change over time. There was a time when micros didn't have disk drives, and the same arguement here could be applied to them at the time. > > I am losing no sleep over the thought of a Postscript virus (I am losing > sleep over this posting!) I can see no way for such a program to > spread, and little possibility of it doing damage once it was installed. > The only reasonable system that I can invisage is that of a trojan > supplied from a major manufacturer with one very disgruntled > ex-employee. Or a competing font company, or several other potential sources. The spreading would indeed be difficult, but if font prices stay high, it is likely that piracy will abound soon in the font world, as it does in the computer world. > > So, Woody. I don't think that this is likely, but it was an interesting > their thoughts on this matter, I would be most interested to read them. > > However, let me say one thing. The majority of net users are sensible > people who appreciate the dangers of viruses and trojans, but Fortunatly! > there are two types of readers that may cause trouble. > > 1. The user who does not recognise their own limitations and > who may be tempted to try something stupid ("I wonder > exactly what this filesystem scrambling program does when > I run it...." - though if anyone is that stupid then > perhaps we should let them :-)) > > 2. The virus writers. They are unlikely, but always bear them > in mind. > > So, be as general as possible, and DON'T POST ANY SOURCES! > AMEN! > So fellow Postscribes, if you get a sample font disk from a Panamanian > company called PC Cyborg, regard with with great suspicion.... >
jm36+@andrew.cmu.edu (John Gardiner Myers) (01/23/90)
People seem to be making the invalid assumption that all PostScript implementations are in printers. Display PostScript implementations are becoming increasingly more common. A PostScript program running in such an implementation would not be overly restricted in the amount of resources it could affect. The potential for trojan horses or viruses in PostScript is large. Practically noone looks through the code before previewing or printing a document from a non-trusted source, escpecially if it looks like it came from a document production system. -- _.John G. Myers Internet: John.G.Myers@andrew.cmu.edu (412) 268-2984 LoseNet: ...!seismo!ihnp4!wiscvm.wisc.edu!give!up
herbw@midas.WR.TEK.COM (Herb Weiner) (01/23/90)
In Article <21772@uflorida.cis.ufl.EDU> ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) writes: > 2. To really do damage, it would have to access the undocumented > contents of the internal dictionary, or access the hardware > directly. Both are non-standard, would need a great amount > of code and intimate knowledge of internal details to do this > trick. Woody mentioned scrambling the file system, which he > said is not difficult. This is about all that I can think a > virus/trojan could do. I disagree! My hard disk contains downloaded fonts plus the font cache. I have backups for my fonts, and loss of the font cache would not be catastrophic. The WORST thing that a virus or trojan horse could do would be to change the serverdict password! Herb Weiner (herbw@midas.WR.TEK.COM)
ron@clarity.Princeton.EDU (Ronald Beekelaar) (01/23/90)
The discussion about viruses reminds me of 'an accident' that happened three years ago. I was at studying at a university in The Netherlands, when I got interested in PostScript. Back in those days, at least in the Netherlands, any knowledge about PostScript was rare, and I even had to get the red and the blue PS book, from England. The university had just recently bought a awful lot of new LaserWriters to replace existing older printers, so I knew it was worth it, to learn PostScript. One of the things I wrote was a new printerdriver for MS-Word, with the ability of printing gray, outlined etc. About 5 people used this new printerdriver and everything worked fine. During a long PS hack at night, together with a friend, we decided to have some fun and change the printerdriver a little bit. The printerdriver contained code that defined the IBM linedraw character set in a somewhat crypted way. This was done to save transmission time to the printer when the driver was loaded. Since this was already encrypted and hence very hard to read and figure out what was going on, we decided to add some extra functionality to this encrypted part. Once the newly created 'trojan-driver' was loaded it would work perfectly fine, except that every 598th page would be printed like it had been mirrored (scale -1 1). When we tested it with a mirror-rate of every 3rd page, it worked really nice and you can understand our excitement (sorry). The 5 people that had been using the printerdriver all used the same PC, that was connected to the same LaserWriter. We decided to fool them and replace the printerdriver on the hard-disk of the PC, with the 'trojan-driver'. Nothing really happened after that, at least I didn't hear any of them complain about mirrored pages. Christmas break came one week later and I went home for a couple of weeks... When I came back, the CS department of the university had connected all the new LaserWriters to PC's in all the offices. Suddenly everybody was able to use those new printers and they did. The 'trojan-driver' had been copied off the PC in the printer-room and virtually everybody was using it. Without complaints!! Meanwhile the printerdriver worked great, well actually, it worked too well, because every 598th page was still mirrored. Nobody complained about this, because you would expect the new printers to make some mistakes every now and then and once you printed the 'trojan' page again, it would come out fine. Almost nobody had gotten two mirrored pages in say 4 months. And just me believe me, I hadn't even thought about that late-night hack anymore. The driver worked fine for me too. After four months, troubles began. At several occasion, people had printed the final version of a report, looked over it, it looked fine and they had printed this one more final-final version, put it in a plastic cover and off to the reproduction service to make it into xx copies, nicely bound. The first time a ran into lecture-notes, which had a mirror page, I knew what had happened and immediately told the CS department. They said they had received various complaints about the mirror business from all over the university, but didn't know what it was. (Most people didn't even realize that a printer could be told to do this, so it must be a mistake of the hardware, they said...) Very soon after this the 'trojan' driver was replaced by a new driver, with more features, but excluding the mirror code. Everybody had a copy of the 'trojan' version though, and still every now and then mirrored pages show up. ----- Of course this is in no way a virus, as defined in a previous article, but it got me scared. ron -- ------ ron ------
woody@rpp386.cactus.org (Woodrow Baker) (01/23/90)
> > I disagree! My hard disk contains downloaded fonts plus the font > cache. I have backups for my fonts, and loss of the font cache I assume that this means that you have downloaded the fonts from another machine. If you bought the $9000 Adobe disk loaded up with fonts, the only way I can see that you could have a backup would be to take the fonts off the disk. If you can take the fonts off the disk (upload them) then a virus could infect via the same mechanism... > would not be catastrophic. The WORST thing that a virus or trojan > horse could do would be to change the serverdict password! > In a network enviornment, it most certainly would be bad. However, the same code that changed the password, would be able to correct it. consider: if you want to change the password you must know it. There is a routine running around that will reset the system password back to 0 regardless. It is written in 68000 ml, and is specific to 68000. As I see it, it would have to be used to corrupt the password, if the password was unknown. Thus, the same bit of nasty code could be used to un do it. However, for non 68000 machines, it would indeed be nasty. Cheers woody
ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) (01/24/90)
In article <1487@wrgate.WR.TEK.COM> herbw@midas.WR.TEK.COM (Herb Weiner) writes: >In Article <21772@uflorida.cis.ufl.EDU> ifarqhar@mqccsunc.mqcc.mq.OZ >(Ian Farquhar) writes: > >> 2. To really do damage, it would have to access the undocumented >> contents of the internal dictionary, or access the hardware >> directly. Both are non-standard, would need a great amount >> of code and intimate knowledge of internal details to do this >> trick. Woody mentioned scrambling the file system, which he >> said is not difficult. This is about all that I can think a >> virus/trojan could do. > >I disagree! My hard disk contains downloaded fonts plus the font >cache. I have backups for my fonts, and loss of the font cache >would not be catastrophic. The WORST thing that a virus or trojan >horse could do would be to change the serverdict password! > Only if your password is set to zero, which mine isn't. However, for the vast majority of users this would be zero, and they might be up the proverbial creek. I have no idea where the serverdict password is stored - it possibly is not accessible to any postscript codes (I would hope that this would be the case). The only quick fix is to have your EEPROM erased or replaced with one containing the standard value. All hail Saint Fubar, parton saint of computer programmers. +-----------------------------------+-------------------------------+ | Ian Farquhar | Phone : (02) 805-7420 (STD) | | Microcomputer Support | (612) 805-7420 (ISD) | | Office of Computing Services | Fax : (02) 805-7433 (STD) | | Macquarie University NSW 2109 | (612) 805-7433 (ISD) | | Australia | Also : 805-7205 | +-----------------------------------+-------------------------------+ | ACSNet ifarqhar@macuni.mqcc.mq.oz | | ifarqhar@mqccsuna.mqcc.mq.oz | +-------------------------------------------------------------------+ D
batcheldern@hannah.enet.dec.com (Ned Batchelder) (01/25/90)
This is an extremely serious concern for security-concious installations: how do they know that a bogus Helvetica hasn't been loaded into their printer which works fine, except when asked to print (Top Secret), in which case it prints (Unclassified)? Can any PostScript expert out there guarantee that their Helvetica is correct? Damage to disks is a possibility, and would be the act of a spiteful hacker; damage to printed output is a very real reason why someone might want to write a PostScript trojan horse in order to steal information. Ned Batchelder, Digital Equipment Corp., BatchelderN@Hannah.enet.DEC.com
cplai@daisy.UUCP (Chung-Pang Lai) (02/02/90)
In article <1990Jan26.235933.359@siia.mv.com> drd@siia.mv.com (David Dick) writes: >I must be missing something here. Fonts are just data, right? >QED. Or have I got it all wrong? You got it all wrong. Each character in a PostScript Fonts is a drawing procedure. Some other PostScript guru can give you more details.