aryehg@darkside.COM (Aryeh Goretsky) (05/14/91)
TROJAN VERSION OF VIRUSCAN VERSION 78
We have received a trojan horse version of VIRUSCAN. The hacked SCAN
has apparently been uploaded to BBSes in Michigan, USA under the
filename SCANV78.ZIP. Running PKZIP -V on the file reveals:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
.
. Length Method Size Ratio Date Time CRC-32 Attr Name
. ------ ------ ----- ----- ---- ---- ------ ---- ----
. 12816 Implode 5255 59% 04-08-91 14:28 08a87ed8 --w AGENTS.TXT
. 9406 Stored 9406 0% 02-03-91 17:04 42cf9931 --w REGISTER.DOC
. 23008 Implode 12550 46% 05-06-91 18:15 f9735dd5 --w SCAN.EXE
. 6495 Implode 1895 71% 10-31-89 16:16 0449b09d --w VALIDATE.COM
. 3626 Implode 1802 51% 11-29-90 01:59 ab76470f --w README.1ST
. 21257 Implode 5767 73% 05-06-91 19:35 a0728a17 --w VIRLIST.TXT
. 2844 Implode 1406 51% 02-14-91 14:25 aa330b57 --w VALIDATE.DOC
. 24515 Implode 9188 63% 05-06-91 19:34 172a967f --w SCAN78.DOC
. ------ ------ --- -------
. 103967 47269 55% 8
The number listed for the Fantasia BBS is NOT a BBS number and has no
connection with the trojan horse. I have called the phone number and
asked the party at the other end to contact me.
Running PKUNZIP on the file reveals the following:
.PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
.Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
.PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
.Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882
. Exploding: AGENTS.TXT -AV
. Extracting: REGISTER.DOC -AV
. Exploding: SCAN.EXE -AV
. Exploding: VALIDATE.COM -AV
. Exploding: README.1ST -AV
. Exploding: VIRLIST.TXT -AV
. Exploding: VALIDATE.DOC -AV
. Exploding: SCAN78.DOC -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
While the Authentic Files Verified Message appears, the Serial Number is
NOT correct. McAfee Associate's Serial Number is NWM405.
Examination of the AGENTS.TXT, README.1ST, VALIDATE.*, and VIRLIST.TXT
files revealed that these are straight from VIRUSCAN Version 77--the
version number in the VIRLIST.TXT file was still V77.
The SCAN78.DOC file had been modified so that all occurrences of V77
were switched to V78. Additionally, the following text was added for
the validation data:
. The validation results for Version 77 should be:
.
. FILE NAME: SCAN.EXE
. SIZE: 23,008
. DATE: 05-06-1991
. FILE AUTHENTICATION
. Check Method 1: 2C21
. Check Method 2: 022E
.
For the What's New section, the following text was added:
. WHAT'S NEW
. Version 78 of SCAN removes a few small bugs and continues
. to optimize the procedures SCAN uses to find viruses, as in Version 77,
. as well as adding a few more to the list of known viruses. SCAN is now much
. more compressed than was previously thought possible, so please enjoy the
. shortened file size, it should still work just fine.
. Refer to the enclosed VIRLIST.TXT file for a schematic
. description of the new viruses. For a complete description, please
. refer to Patricia Hoffman's VSUM document.
.
Examination of the SCAN.EXE file has show that it contains the help
message that VIRUSCAN displays as well as the program information
message. However, the program does not contain any of the other
messages that VIRUSCAN has in it.
The REGISTER.DOC file distributed with the trojan version of VIRUSCAN is
not a text file, but rather another .ZIP file containing a file named
TB1.COM:
. PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90
. Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help
. PKUNZIP Reg. U.S. Pat. and Tm. Off.
.
. Searching ZIP: REGISTER.DOC
. Extracting: TB1.COM -AV
.
. Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES
.
When unZIPped, the REGISTER.DOC file displays the same Authentic Files
Verified Message as the SCANV78.ZIP file did. Examination of the of the
TB1.COM file revealed that it contains the Whale virus.
This is all I currently know about the SCANV78.ZIP trojan. If you see
any copies of this file, please ask the system administrator or sysop to
remove it and ask them to contact the uploader to warn them that it
contains a virus.
Aryeh Goretsky
McAfee Associates Technical Support
- - -
aryehg@tacom-emh1.army.miljpc@fct.unl.pt (Jose Pina Coelho) (05/15/91)
In article <HuNw22w164w@darkside.com> aryehg@darkside.COM (Aryeh Goretsky) writes: > TROJAN VERSION OF VIRUSCAN VERSION 78 > > We have received a trojan horse version of VIRUSCAN. The hacked SCAN > has apparently been uploaded to BBSes in Michigan, USA under the > filename SCANV78.ZIP. Running PKZIP -V on the file reveals: > > [...] > > Running PKUNZIP on the file reveals the following: > > .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 > .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help > .PKUNZIP Reg. U.S. Pat. and Tm. Off. > . > .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 > . Exploding: AGENTS.TXT -AV > . Extracting: REGISTER.DOC -AV > . Exploding: SCAN.EXE -AV > . Exploding: VALIDATE.COM -AV > . Exploding: README.1ST -AV > . Exploding: VIRLIST.TXT -AV > . Exploding: VALIDATE.DOC -AV > . Exploding: SCAN78.DOC -AV > . > . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES > > While the Authentic Files Verified Message appears, the Serial Number is > NOT correct. McAfee Associate's Serial Number is NWM405. This can mean several things: - PkWare let a bogus ``McAFEE ASSOCIATES'' registration slip in. - PkWare or McAfee let the key slip out. - PkWare let the key generator slip out. - Someone found the algorithm to generate the keys. - Someone found an algorithm that can generate a tolerable percentage of ``correct'' keys. In the first two cases, the problem can be solved by getting McAfee a new key. The other cases need a new key generator to go with PkZip 2.0, probably doubling the size of the key. Also the next version of scan should check .zip's that have source at McAFEE ASSOCIATES and, if the code is the old one, warn that it is no longer safe. Else warn that the file is bogus. > [...] > Aryeh Goretsky > McAfee Associates Technical Support What's the word from PkWare ? -- Jose Pedro T. Pina Coelho | BITNET/Internet: jpc@fct.unl.pt Rua Jau N 1, 2 Dto | UUCP: ...!mcsun!unl!jpc 1300 Lisboa, PORTUGAL | Home phone: (+351) (1
cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ) (05/16/91)
In article <HuNw22w164w@darkside.com>, aryehg@darkside.COM (Aryeh Goretsky) writes: > TROJAN VERSION OF VIRUSCAN VERSION 78 >[deletions] > Running PKUNZIP on the file reveals the following: > > .PKUNZIP (R) FAST! Extract Utility Version 1.1 03-15-90 > .Copr. 1989-1990 PKWARE Inc. All Rights Reserved. PKUNZIP/h for help > .PKUNZIP Reg. U.S. Pat. and Tm. Off. > . > .Searching ZIP: SCANV78.ZIP - Fantasia BBS (313)/788-0882 > . Exploding: AGENTS.TXT -AV > . Extracting: REGISTER.DOC -AV > . Exploding: SCAN.EXE -AV > . Exploding: VALIDATE.COM -AV > . Exploding: README.1ST -AV > . Exploding: VIRLIST.TXT -AV > . Exploding: VALIDATE.DOC -AV > . Exploding: SCAN78.DOC -AV > . > . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES Great!! What the hell are we supposed to do here in NZ, where we can't legally get the "full" version of PKUNZIP that gives us the key numbers. If this trojan reached us prior to the warning all we would have seen is up to the "!" in the last "quoted" line. I suppose it's academic really - given that someone's hacked PK's AV scheme this far, it may not be long before they work out how to get the right key showing up as well. Nick.
ash@syacus.acus.oz.au (Ash Nallawalla) (05/25/91)
cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ) writes: >> . Exploding: SCAN78.DOC -AV >> . >> . Authentic files Verified! # TJB859 Zip Source: McAFEE ASSOCIATES >Great!! What the hell are we supposed to do here in NZ, where we can't >legally get the "full" version of PKUNZIP that gives us the key numbers. Is it illegal for you to possess PKZIP110 (I think, without the EU), or is it just illegal for someone in USA to export it? Try some local BBSs for the US version, as it might already be in ChCh.
ts@uwasa.fi (Timo Salmi) (05/27/91)
In article <1991May25.044559.26080@syacus.acus.oz.au> ash@syacus.acus.oz.au (Ash Nallawalla) writes: >cctr132@csc.canterbury.ac.nz (Nick FitzGerald, CSC, Uni. of Canterbury, NZ) writes: : >Is it illegal for you to possess PKZIP110 (I think, without the EU), or is >it just illegal for someone in USA to export it? : To make matters even worse there is no official PKZ110EU.EXE. The original PkWare names of the North American version and the version without encryption were the same to add to teh confusion. The renaming was entirely my (un)doing to cover my back, but the convention seems to have caught on, more or less. ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun
hartnegg@sun1.ruf.uni-freiburg.de (Klaus Hartnegg) (05/29/91)
ash@syacus.acus.oz.au (Ash Nallawalla) writes: >Is it illegal for you to possess PKZIP110 (I think, without the EU), or is >it just illegal for someone in USA to export it? It can't be illegal because it's an US law that wants to prohibit such software to spread. What I am doing here in Germany can hardly be restricted by US laws! -- -------------------------------------------------------------------------- Klaus Hartnegg, Kleist-Str. 7, D-7835 Teningen, Germany | include standard Bitnet : hartnegg@dfrruf1 or hartnegg@cernvm | disclaimer here! Internet : hartnegg@ibm.ruf.uni-freiburg.de |
davet@cbnewsj.att.com (Dave Tutelman) (05/30/91)
>ash@syacus.acus.oz.au (Ash Nallawalla) writes: >>Is it illegal for you to possess PKZIP110 (I think, without the EU), or is >>it just illegal for someone in USA to export it? In article <1991May28.175016.21398@sun1.ruf.uni-freiburg.de> hartnegg@sun1.ruf.uni-freiburg.de (Klaus Hartnegg) writes: >It can't be illegal because it's an US law that wants to prohibit >such software to spread. What I am doing here in Germany can hardly >be restricted by US laws! Klaus is absolutely correct. A few more points to explain (certainly not excuse) what's happening here: 1. FACT: The US government requires permission to export weapons. Any cryptographic or cryptanalytic equipment (including computer programs) are weapons under the law. Most program makers won't go through the red tape to get a weapons export license; if it's a well-known crypto algorithm they probably could, but it's trouble and expense. I _suspect_ that someone once got in trouble for this, which makes everyone doubly cautious. And after all, if the crypto stuff is a sideshow, not the major use of the program (e.g.- PKZIP), it's much easier to just put out an export version without the crypto features. 2. FACT: The US has gotten significant advantage in wartime when it had crypto superiority, especially when it maintained secrecy about that superiority. (World War II, Pacific theatre comes to mind immediately. Read about the battle of Midway and others.) 3. FACT: The US government has harrassed researchers in cryptography and cryptanalysis who either (a) did research independently of the government, or (b) tried to publish results. (Diffie and Hellman come to mind immediately.) 4. UNSUBSTANTIATED RUMOR: I've heard numerous times, from unreliable sources, that the Data Encryption Standard (DES) that's now a US standard has been analyzed and broken by the National Security Agency (NSA). This same rumor has it that the NSA blocked adoption of the standard until it had cracked the code, then encouraged its adoption. (It is currently a standard for all but military communication; that exception tends to support the rumor. NSA is saying, "We can spy on you, but we won't allow national security use of the code because you may have broken it, too.") Personally, I feel that the law is stupid. Programs that implement well-known crypto algorithms shouldn't be classified as weapons. Except for this, however, point #2 above gives the government some reasonable argument for behavior like #1, #3, and perhaps #4. I'm not saying it's right (personally, I think it's wrong), but it's not outright stupid. Hope this clarifies a little. Dave
ts@uwasa.fi (Timo Salmi) (05/31/91)
In article <1991May30.122409.15797@cbnewsj.att.com> davet@cbnewsj.att.com (Dave Tutelman) writes: >>ash@syacus.acus.oz.au (Ash Nallawalla) writes: >>>Is it illegal for you to possess PKZIP110 (I think, without the EU), or is >>>it just illegal for someone in USA to export it? : ... much deleted text ... : >Personally, I feel that the law is stupid. Programs that implement >well-known crypto algorithms shouldn't be classified as weapons. Except : I know that I am way out of line, but can't resist the temptation. What about ZIP-guns :-). >Hope this clarifies a little. Seriously, thank you for the information, and your excellent analysis of the US encryption legalities. ................................................................... Prof. Timo Salmi Moderating at garbo.uwasa.fi anonymous ftp archives 128.214.12.37 School of Business Studies, University of Vaasa, SF-65101, Finland Internet: ts@chyde.uwasa.fi Funet: gado::salmi Bitnet: salmi@finfun
bg11+@andrew.cmu.edu (Brian E. Gallew) (06/04/91)
In regard to what Dave writes about NSA and the crippled DES:
Try reading "The Cuckoo's Egg" (sp?) by Clifford Stoll (sp?). The NSA
is just wonderfully helpful ;-> with all sorts of computer problems.
NSA needs no excuse, and in my opinion, (for what it is worth) is
inexcusable!
And for anybody who doesnt' know, DES is basically a simple substitution
code. What makes it copmlicated is that instead of a 26 letter
alphabet, it substitutes for 13 letter blocks; in other words, ~75^13
letter alphabet! (26 Uppercase, 26 Lowercase, 10 digits, plus
punctuation) As applied to computer data, it is even worse; 256^13
letter alphabet!
Have a nice day.
-Brian
You drop the bomb -more-
It goes off... -more-
-------------------------------------------------------------------------
I am *NOT* as think as you dumb I am!! | This space for rent (241-6939)
-------------------------------------------------------------------------