CHESS@YKTVMV.BITNET (David.M.Chess) (05/15/91)
Has this been around for awhile? Just in the last week or so, I've heard of it from a couple of different, widely separated, places in Europe, and I hadn't heard of it before. Does anyone have a good description written up? I'm well into analyzing it, but it's always nice to have someone else's notes to check myself against. Just how widespread does it seem? Does anyone know of it "getting lucky" (shipping with a commercial package, or anything on that order)? DC
c-rossgr@uunet.uu.net (05/18/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> >Has this been around for awhile? Just in the last week or so, I've >heard of it from a couple of different, widely separated, places in >Europe, and I hadn't heard of it before. Does anyone have a good.... By the look of things, it's a flip flop virus: an infected program infects the partition record, infected partition records infect programs. Additionally, it looks a lot like a combo of 1260 and v101: it is impossible to get a scan string for it. <Enter Patting Self On Back Mode> Naturally, VIRX14 catches it. Ross
CHESS@YKTVMV.BITNET (David.M.Chess) (05/21/91)
>From: microsoft!c-rossgr@uunet.uu.net > >Additionally, it looks a lot like a combo of 1260 and v101: >it is impossible to get a scan string for it. While I know what you mean, Ross, I'd like to clarify for our readers: the Tequila doesn't actually seem to share any code with the 1260 or Virus-101 (no evidence that the author of the Tequila had seen either of those), and a scanner that can handle variable-length "don't care" areas can detect it with no problems. DC
mrs@netcom.com (Morgan Schweers) (05/21/91)
Some time ago microsoft!c-rossgr@uunet.uu.net whispered: >>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> > >>Has this been around for awhile? Just in the last week or so, I've >>heard of it from a couple of different, widely separated, places in >>Europe, and I hadn't heard of it before. Does anyone have a good.... > >By the look of things, it's a flip flop virus: an infected program >infects the partition record, infected partition records infect >programs. Additionally, it looks a lot like a combo of 1260 and v101: >it is impossible to get a scan string for it. > ><Enter Patting Self On Back Mode> Greetings, *Chuckle* It's a variant of the Flip virus, actually. A bit of psuedo-encryption code was added, and a bit of infection code was removed, but otherwise it's mostly flip-like. Mr. McAfee gave me a scan string quickly after I handed it to him, and it'll be in the upcoming release of Scan as well. (Clean, of course, will remove it.) It's *VERY* rarely 'impossible' to find a scan string for something. It's been suggested that pirated copies of Golden Axe by Sega have been spreading it's infection on the other side of the pond. A side note, regarding the Flip, it patches COMMAND.COM (under DOS 3.3, at least) to fix the DIR command to hide the filesize increase. It modifies two bytes, to chain to itself. This is important, as if these bytes are not fixed the COMMAND.COM will crash after being cleaned. I haven't checked to see if the Tequila virus does this as well, but I would guess that it does. Dave Chess mentioned to me that the Tequila displays a low resolution Mandelbrot set upon activation. I haven't confirmed it, but I plan to. (Anybody want GIF copies when I do? *chuckle*) -- Morgan Schweers - -- "Any opinions are not the express opinions of McAfee Associates. I just pattern, in game of life." (Do not meddle in the affairs of cats, for they are subtle and will piss on your computer.) -- mrs@netcom.com
c-rossgr@uunet.uu.net (05/23/91)
>From: mrs@netcom.com (Morgan Schweers) > > *Chuckle* It's a variant of the Flip virus, actually. A bit of >psuedo-encryption code was added, and a bit of infection code was >removed, but otherwise it's mostly flip-like. Interesting phrase, "psuedo-encryption". What, exactly, does it mean? > Mr. McAfee gave me a scan string quickly after I handed it to >him, and it'll be in the upcoming release of Scan as well. (Clean, >of course, will remove it.) It's *VERY* rarely 'impossible' to find >a scan string for something. Sorry: I don't count "wild card" strings as a search pattern. There's too much chance for false positives. But, true, if you don't mind the occasional false positive, I guess you could state that a search string was available for Tequilaa. > Dave Chess mentioned to me that the Tequila displays a low resolution >Mandelbrot set upon activation. I haven't confirmed it, but I plan to. >(Anybody want GIF copies when I do? *chuckle*) Sorry, I'l wait for the sequel: Tequila Part II: The Resolution Improves! <grin> Ross
c-rossgr@uunet.uu.net (05/23/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> >While I know what you mean, Ross, I'd like to clarify for our readers: >the Tequila doesn't actually seem to share any code with the 1260 or >Virus-101 (no evidence that the author of the Tequila had seen either >of those), and a scanner that can handle variable-length "don't care" >areas can detect it with no problems. DC Whoops! You're write! I should right better and knot make so many misteaks! :-) I have an abhorrence for wild-carded scan strings -- too many false positives -- so I tend to not include them. I ended up going algorithmically on the Tequila in any case... Ross
CHESS@YKTVMV.BITNET (David.M.Chess) (05/23/91)
>From: microsoft!c-rossgr@uunet.uu.net > >Sorry: I don't count "wild card" strings as a search pattern. There's >too much chance for false positives. But, true, if you don't mind the >occasional false positive, I guess you could state that a search >string was available for Tequilaa. A string with wildcards isn't necessarily more prone to false positives than one without, as long as there are enough additional fixed bytes in the one with wildcards to make up for the extra degrees of freedom added by the wildcards. I think? Any sort of less-than-virus-length scan string is somewhat prone to false alarms, but ones with wildcards, if properly chosen, aren't necessarily any worse than ones without... DC
padgett%tccslr.dnet@mmc.com (Padgett Peterson) (05/24/91)
Ross: It would be interesting if you, Frisk, & I ever get together at a bar but they'll have to provide a padded room & unbreakable glasses. >From: microsoft!c-rossgr@uunet.uu.net >>From: mrs@netcom.com (Morgan Schweers) >> >> *Chuckle* It's a variant of the Flip virus, actually. A bit of >>psuedo-encryption code was added, and a bit of infection code was >>removed, but otherwise it's mostly flip-like. >Interesting phrase, "psuedo-encryption". What, exactly, does it mean? (Can't help myself, this is too much like "mock-swedish") Given that encryption covers both codes (breakable) and cyphers (less so), it would follow that a "pseudo-encryption" is neither a code nor a cypher but looks like one. EBCDIC & BAUDOT would probably fall into that category as would the raw output from most word processors. For that matter, a DEBUG U(nassemble) of a Master Boot Record) is gibberish to one who does not understand the conditionals but makes perfect sense once the constraints are understood. The output from a "Little Orphan Annie Secret Decoder Ring" would not be "pseudo" since it produces a real (though trivial) code. >Sorry: I don't count "wild card" strings as a search pattern. There's >too much chance for false positives. Why do you disagree with "wild cards"? For example, if I find a boot sector that contains MOV AX,[413] <some code> MOV [413],AX I would suspect a virus reguardless of what went on in the <some code> area. To me a variable length "wild card" to replace <some code> would be very useful in this case. I agree that the potential for false positives exists, but as an intial mechanism that determines a maxterm/minterm decision tree structure or to provide a public signature without revealing to much of the viral design, such a "wild card" function would be very effective. Warmly, Padgett
c-rossgr@uunet.uu.net (05/24/91)
>From: "David.M.Chess" <CHESS@YKTVMV.BITNET> > >.... Any sort of >less-than-virus-length scan string is somewhat prone to false alarms, >but ones with wildcards, if properly chosen, aren't necessarily any >worse than ones without... We'll have to agree to disagree on this one, Dave. Ross
c-rossgr@uunet.uu.net (05/28/91)
>From: Padgett Peterson <padgett%tccslr.dnet@mmc.com> > >Ross: It would be interesting if you, Frisk, & I ever get together >at a bar but they'll have to provide a padded room & unbreakable glasses. Hey, take some time off and come on over to the UK this September for Ed Wilding's little get together in the Channel. I expect it to be *very* good [for those who are not aware of it, the Virus Bulletin is having an international virus seminar where just about everybody who is anybody will either a)be speaking or b)be in the audience making fun of those who are speaking. It ain't cheap, but I think it'll be real good.] >>Sorry: I don't count "wild card" strings as a search pattern. There's >>too much chance for false positives. >Why do you disagree with "wild cards"? For example, if I find a boot >sector that contains MOV AX,[413] <some code> MOV [413],AX I would >suspect a virus reguardless of what went on in the <some code> area. >To me a variable length "wild card" to replace <some code> would be >very useful in this case. In our tests for Virex-PC's scanner, we throw it up against a coupla network servers filled to the brim with every piece of software we can find. When we let a new scanner with new strings loose on it, any false positives based upon our string library and our program library will show up quickly. I've found far too many false positives with wild card patterns than with either fixed patterns or algorithmic pattern matching schemes. Since false positives remove some of the credibility of the product with corporate clients, we've worked long and hard to make sure that we don't have them: only two false positives to date for a product about a year old; that's not too bad at all (> 400 strings in the current release). When I report that there is a virus in a program or in a boot sector, I want to be sure. >I agree that the potential for false positives exists, but as an >intial mechanism that determines a maxterm/minterm decision tree >structure or to provide a public signature without revealing to much >of the viral design, such a "wild card" function would be very >effective. Part of the advantage of working hard on a fast search engine: some cycles to spare. If I put in a search string that is "wild carded" and get a hit on some program to verify later with some other method, why not just check that other method first? That's what I'm doing with about a half dozen viruses and I was able to accept a 1-2% hit on speed as a consequence of the action of checkinbg completely for the virus instead of playing with wild cards. Although I understand the desire for wildcarding (it certainly makes turning out a new piece of code a quick turnaround!), I just don't think it buys enough to feel safe with. But, well, to each their own! Cheers! Ross
mrs@netcom.com (Morgan Schweers) (05/29/91)
Greetings, Some time ago microsoft!c-rossgr@uunet.uu.net happily mumbled: >>From: mrs@netcom.com (Morgan Schweers) >> >> *Chuckle* It's a variant of the Flip virus, actually. A bit of >>psuedo-encryption code was added, and a bit of infection code was >>removed, but otherwise it's mostly flip-like. > >Interesting phrase, "psuedo-encryption". What, exactly, does it mean? There aren't any viruses which use anything that could be considered 'real' encryption (yeah, yeah, I know, 'define real'... We'll take it to sci.philosophy.meta, okay?) However, what I meant by 'psuedo-encryption' is a situation in which the METHOD is different each time. For example, the Tequila uses XOR *OR* ADDitive encryption. This is more than one form of encryption, so in referring to the entire group I call it psuedo-encryption. The same with the Whale, etc. It could also be called variable encryption if you wish. >Sorry: I don't count "wild card" strings as a search pattern. There's >too much chance for false positives. But, true, if you don't mind the >occasional false positive, I guess you could state that a search >string was available for Tequilaa. Odd that you would claim that... I could have sworn... Oh, never mind. Actually, if you are using five bytes to search for the virus, and someone else is using 15 (interspersed with a few wildcards), is it automatically to be assumed that the wildcarded one is going to be less specific? Do you have any statistics behind it? The most important thing is the person putting together a string. One has to realize that if one is going to use wildcards, one has to use more bytes to detect than one normally would. (For verification purposes.) There is also a second trick, used by some. When the file is detected as almost certainly being a virus, the decryption method is used on a portion of the file. That portion is compared against a standard, known block of code. If a match ISN'T made, the file is ignored. >> Dave Chess mentioned to me that the Tequila displays a low resolution >>Mandelbrot set upon activation. I haven't confirmed it, but I plan to. >>(Anybody want GIF copies when I do? *chuckle*) > >Sorry, I'l wait for the sequel: Tequila Part II: The Resolution >Improves! <grin> Yupyup. I figure the sequel will come around January... You know what I mean... A new years resolution increase... *duck* -- Morgan Schweers - -- My company has nothing to do with this. So there. Besides, most people here *HATE* bad puns! -- mrs@netcom.com
c-rossgr@uunet.uu.net (05/31/91)
>From: mrs@netcom.com (Morgan Schweers) > However, what I meant by >'psuedo-encryption' is a situation in which the METHOD is different >each time. For example, the Tequila uses XOR *OR* ADDitive >encryption. This is more than one form of encryption, so in referring >to the entire group I call it psuedo-encryption. The same with the >Whale, etc. It could also be called variable encryption if you wish. Hmmm. Interesting definition. I use "variable encoding" to indicate that something in the virus is designed to thwart scanners: variable "NOP" type instructions, that kinda stuff. I use "encryption" to indicate that the code has been mangled in some form, regardless of how many methods a given program uses. That would make Tequila a "variable encoding encrypted" virus, I guess. Pain in the butt, in any case. > Actually, if you are using five bytes to search for the virus, >and someone else is using 15 (interspersed with a few wildcards), is >it automatically to be assumed that the wildcarded one is going to be >less specific? Do you have any statistics behind it? That is too obviously backwards to require stats and is not what I was implying. Of course having 16 bytes with no wild cards *should* be more specific that 16 bytes with wildcards. > There is also a second trick, used by some. When the file is >detected as almost certainly being a virus, the decryption method is >used on a portion of the file. That portion is compared against a >standard, known block of code. If a match ISN'T made, the file is >ignored. Yeah, we use that for 1260 and Caspar and a coupla others. Another pain in the butt, frankly. Maybe I'm just getting burned out in the anti-virus arena and would rather be scuba-diving... <g> Ross