bals@hyster.enet.dec.com (Fred Bals) (10/11/90)
I act as the virus guru/killer for a group of designers working on
Macintoshes, and get most of my information on new virii and means to
kill `em from this group.
Recently both MacWorld and MacUser magazines have had short articles
about a PostScript printer virus which apparently is a Trojan Horse
hidden within some public domain clip art. According to the articles,
the virus, when down-loaded into a PostScript printer, resets a chip
password and renders the printer unusable.
I took these articles with some grains of salt, since the phrases,
"alleged," "supposedly," "appears to," is liberally used throughout
both of them. Plus, I've not seen any comments from this group about
this virus. So, two questions: Can anyone confirm whether there
actually *is* a PostScript Trojan, and if so, strategies for
preventing and killing it.
Thanks.
-- Fred Bals (DEC Merrimack, NH)
"The only thing technology does is
prolong hopelessness."
Mail addresses:
bals@hyster.dec.com bals@hyster.enet.dec.com
UUCP: ...!decwrl!hyster.enet.dec.com!bals
ARPA: bals%hyster.DEC@DECWRL.DEC.COMdmg@lid.mitre.org (David Gursky) (10/12/90)
In response to Fred Bals message about the "Postscript virus" there has not been (to the best of my knowledge) any documented instance of this Postscript virus. There are several utilities in the public domain that alleged they defend against it though.
S096264@UMRVMA.BITNET (Kincy, Chuck P.) (10/12/90)
>From the last Virus-L: > Recently both MacWorld and MacUser magazines have had short articles > about a PostScript printer virus which apparently is a Trojan Horse > hidden within some public domain clip art. According to the articles, > the virus, when down-loaded into a PostScript printer, resets a chip > password and renders the printer unusable. Apparently the article refers to the PostScript "server" password, the password requires to make a permanent status change to the printer. I believe the password is a 2-byte unsigned integer. In order to change this password, a PostScript job must know the original server password. The default password is 0, but it can be changed with the "setpassword" command. (Not too sure about the actual command word...my PostScript is rusty...) A program that resets the server password would be really nasty, as it would prevent any future permanent status changes to the printer (such as defaultpapertray, defaultpapersize, etc.) However, a careful system administrator would set the password to something other than 0; this action would keep such a program from doing any harm. As far as I know, there is no way to figure out the server password (unless, of course, you know it). A program like this would do it: serverdict begin xxxxx exitserver % xxxxx is the old "server" password. statusdict begin yyyyy setpassword % yyyyy is the new password. % (I hope this is the right syntax!!) (ctl-d) Someone might want to get a PostScript "red" book to check me on this.... |Chuck Kincy "I do not think that there is any question | |University of Missouri about it--it can only be attributed to | |Rolla MO 65401 human error. This sort of thing has cropped| |S096264@umrvma.umr.edu up before, and it has always been due to | |314/341-8922 human error." -- HAL 9000. |
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (10/15/90)
bals@hyster.enet.dec.com (Fred Bals) writes: > Recently both MacWorld and MacUser magazines have had short articles > about a PostScript printer virus which apparently is a Trojan Horse > hidden within some public domain clip art. According to the articles, > the virus, when down-loaded into a PostScript printer, resets a chip > password and renders the printer unusable. Certain programs that depend on knowing the password won't run, but the machine is not unusable. > I took these articles with some grains of salt, since the phrases, > "alleged," "supposedly," "appears to," is liberally used throughout > both of them. Plus, I've not seen any comments from this group about I think that indirectly I am responsible for this one. Many months ago, I posted a message dealing with the possiblities of fonts, PS programs etc. etc. that could be destructive. What I basically said, was that it was quite possible for a font (since it is a program) or any other PS program to do nasty things, like delete fonts from a hard disk (if your printer supports a hard disk), reset the password on the printer, etc. etc. I still know of no instance where any of this has ACTUALLY happened, tho I have had several people contact me, and ask for help resurecting thier lasers. I posted a routine a couple of months ago on this group that would enable the reading of the password, regardless of what it was, so that it could be reset. For a long time, I have offered a routine to people who requested it on department letterhead (official stationary) that allows the alteration of ANY byte in the EEPROM. It has the potential to do a lot of damage. Eventualy, someone over in UK pointed out that all one really had to do was to read the actual password, and then they could reset it correctly. He published a bit of code, and subsequently I modified my routines so that they return a map of the eeprom (a dump) and return the current password. You can then change it using the normal Postscript operators. Ken was reluctant to publish the stuff (it was a CEXEC routine, because it was a binary, but made the exception one time. I believe it should be available in the digests). I am not going to post it again to this group out of respect to Ken's opinions. Since it went out once, it is in the archives. It has been posted in the Postcript group as well. Once again, while it is quite possible that some clip-art or font could be booby trapped with the machine language routine that allows unlimited writing to the eeprom, and thus could reset the printer password etc, etc. I have not really had any verification of it actually happening. I do know of one individual that did some experimentation in a controlled enviornment, and reported that indeed it could be done.(this was in a private email message). This particular individual is above reproach, and certainly hasn't allowed what he did, out of his hands. At anyrate it was not a self-replicating thing, just a simple trojan, to determine if the threat was real. He subsequently sent me a nifty "vaccine" for the problem, that Glenn Ried subsequently made a minor and useful modification to. In postscript you can re-define the operators. The "vaccine" simply redifines the setpassword operator to do nothing. This won't stop the machine language routine, but is rather effective for preventing casual changes to the password. The default password is 0, as is widely known, and if it is known, then it can be changed. If not, it cannot be changed through normal postcript commands. Here is a simple "vaccine" /setpassword { /Helvetica findfont 20 scalefont setfont % create a font 100 100 moveto (Someone is trying to reset your password) show pop pop %remove the to setpassword parameters showpage } bind def Cheers Woody > Mail addresses: > > bals@hyster.dec.com bals@hyster.enet.dec.com > UUCP: ...!decwrl!hyster.enet.dec.com!bals > ARPA: bals%hyster.DEC@DECWRL.DEC.COM