smith_s@gc.bitnet (09/18/90)
On September 13, James Ford asked: > ... > What should the policy be regarding sending (old) viruses to other people > and sites? ... The "known virus-busters" notion has always been somewhat of a pet peeve of mine. I'm at a location that has a steady flow of Macintosh viruses (read: frequent reinfection) but has been blissfully free of the PC variety - possibly due to our network and lab strategy. I'm interested in the development of virus removal programs (PC), but I'm not willing to undergo the sort of hassle that seems to follow a request for samples (note: I haven't tried to get samples, I'm just judging by what I've read here, particularly statements that requests for virus samples won't be considered or forwarded). It is my belief that a person or organization should be able to obtain "live" samples, detection, and removal information for research - - provided that person can be reasonably assumed to be responsible, ie a programmer or network administrator at a site. It's not that I believe accountability = 100% reliability, rather, that it's more likely that someone with a reputation on the line would not carelessly redistribute viruses. It is also my belief that being a "recognized virus buster" doesn't really equate to the ultimate in security. In this vein, I present the following rehash (slightly edited for brevity): > Date: Wed, 27 Dec 89 12:47:52 +0000 > From: frisk@rhi.hi.is (Fridrik Skulason) > Subject: Two serious cases (PC) > > Most virus researchers exchange/distribute viruses only on a strict > need-to-know basis, in order to limit the spread of viruses. However, this > does not work as well as intended. There are now two known cases where > untrustworthy people seem to have obtained viruses from researchers. > > Case #1: Icelandic-1/Saratoga > > I discovered the Icelandic-1 virus here in Iceland in June this year. > When I had disassembled it, I sent a disassembly of an infected file > to several experts in the USA, UK and Israel, including the HomeBase > folks (McAfee). Before I sent out the disassembly, I made one small > change to it. This change had no effect on the operation of the virus, > but it would make it possible to determine if a copy of this virus found > outside of Iceland was based on my disassembly or not. .. > Three days after the virus was made available on the HomeBase bulletin > board, in a restricted area that only a few people had access to, a new > virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some > people thought for a while that Saratoga was an older variant of > Icelandic-1, because it was at first said to have been found "a few > months earlier", but this turned out to be a misunderstanding. > > Saratoga was just a minor variant of Icelandic-1, but the change I made > was present in the virus, so it was obviously based on my disassembly. > When Saratoga was found, I had only sent Icelandic-1 to three or four > persons in the US - and, as far a I know, it had only been made availabl e > to other persons in one place (HomeBase). They believe that the person > responsible for the creating "Saratoga" has now been found, and his > access to the restricted area has been terminated. > > Case #2: Dbase > > The dBase virus was discovered by Ross Greenberg. It seems to have been > planted at only a single site, because no other reports appeared for > several months. Recently Ross made the virus available to a number of > virus researchers. Within two weeks the first infection reports had > started to arrive - the virus had escaped. > > We know that at least some of the reported infections were based on the > copy from Ross, because he made one small change to the virus, before it > was distributed. One instruction was overwritten by two "harmless" > instructions, in order to disable the most harmful effect of the virus - > the disk trashing part. This change is also present in some of the > infected files that have been found recently. (In other cases the > original instruction is present) > > As I said before, I do not consider it a very good idea to make changes to > viruses, but it paid off in the two cases described above. Who knows how > many other cases of virus infections are (indirectly) the result of virus > collection/distribution by virus experts. > > At least it is certain that we have to be a lot more careful in the future. > > - -frisk I'd personally like to see a standard criteria applied to the distribution of viruses and related information, rather than presuming that the current crew are the only ones with any legitimate interest in the field. It also seems as though marginal changes in code to identify the source of an "escaped" virus could help keep people on their toes. _,_/| \o.O; Steven W. Smith, Programmer/Analyst {& PCSA network administrator} =(___)= Glendale Community College, Glendale Az. USA U SMITH_S@GC.BITNET If you believe that I represent the views of GCC, you're mad, quite mad...