dmg@retina.mitre.org (David Gursky) (12/22/89)
I wish to take issue with Gene Spafford's Theorem 4: "Theorem #4) Within the next few years, there will be at least one major problem where some purported anti-viral/security software will be made available, and it will contain a logic bomb or trojan horse in it that causes more damage than what it is supposed to fix. (Minor thesis: the likely author of such software will be someone marketing commercial security software, and the logic bomb version will be a public-domain package not traceable to the author. The purpose -- to discredit public domain anti-virus software.)" This assumes the unavailability of high-quality PD/Shareware/Freeware anti-electronic vandalism software, or rather, that at a certain point in time, such software will not be available (i.e. the existing software will be outmoded, as say Interferon is). It also assumes the author is able to completely cover his or her steps, as Spaf does correctly point out, but I would counter that this is harder than it seems. Consider the current situation. Of the PD/SW/FW tools in use today (FluShot Plus, Gatekeeper, Disinfectant, et. al.), their authors are well known, and it is well known when they release new copies of their software. Any Trojan Horse masquerading as a tool against electronic vandalism would therefore have to be as good as these tools, and would probably have to be much better. Otherwise, people will simply keep using what they are using (look at how many people still use Interferon!) If people are not going to easily switch from one PD/SW/FW to another, there is an inherited limiting factor on the "effectiveness" of a Trojan Horse implanted in anti-electronic vandalism tools. Furthermore, the code hiding the logic bomb will have to persist in a large number of unknown user configurations. Look at the new WDEF virus on the Mac. It is simply incompatible with the new Mac IIci, and it doesn't like the IIcx or any Mac with 8M of RAM that much either. I would worry much more about the following: "Theroem 6": As the trend towards open systems continues, where a given programming environment can exist over several platforms (Examples: Smalltalk/V under the Mac OS and Presentation Manager, X-Windows, etc), instances of machine dependant vandalism will decrease, and environment dependant vandalism (example: The Dukakis Hypercard Virus) will increase. The power of the specific machine's operating system will be easier to access through these programming environments, opening up these systems to a larger number of people, and consequently to a larger number of vandals.
Nagle@cup.portal.com (12/26/89)
Back in the 1970s, when I was working on secure operating systems, I never dreamed that the day would come when there would be twenty five million computers in the world running without memory protection. And it's going to get worse. New and interesting programmatic objects are coming into being. Attacks need not be through object programs. Already, there have been attacks via mail, and via text files editable by GNU EMACS. But this is just the beginning. - PostScript is a programming language. Trojan horses could be embedded in PostScript files. While attacking a printer isn't all that productive, Display PostScript offers more tempting targets. - A FAX message is a bitstream interpreted by an interpreter at the receving end. Could it be induced to do something interesting through the use of illegal bit patterns? Group III is probably too simple to be attacked, but group IV? Imagine a message which causes a FAX machine to send an extra copy of transmitted documents to another location. - Network transmittable C++ objects are being developed. Security doesn't seem to be mentioned. This has promise. - Multi-media electronic mail offers new avenues of attack. The basic problem is that the transmission of programmatic objects is on the increase, and anything interpreted at the receiving end is potentially a means of attack. I predict that this will grow to a moderately serious problem in the 1990s. John Nagle
dmg@retina.mitre.org (David Gursky) (12/26/89)
> To: dmg@retina.mitre.org > Date: Fri, 22 Dec 89 19:13:24 -0500 > From: denbeste@BBN.COM > > One of the best-known and best researched anti-viral programs for the Amiga > is VirusX by Steve Tibbetts. A few months ago a new version of this program > began appearing which was really a trojan. It got rather wide distribution > before anyone noticed that Tibbetts hadn't really written it. Since that > time, Tibbetts no longer publishes his source code when he releases a new > version. > > In other words: The prediction you didn't like was really true; it already > came about! Oops! Minor omission on my part. I neglected to include in my comment about the authors being well known that they should be easily and widely reachable! There is also the underlying presumption in my message that a new release is confirmed from the author before publication of the application
ches@research.att.com (01/03/90)
> 2. The press speculation about the DATACRIME virus was much more > damaging than the virus. I don't think so. True, the general public was alarmed out of proportion to the threat. But I suspect the press coverage encouraged a lot of people to back up machines that hadn't been backed up. This is good because > 1. The amount of damage to data and availability done by viruses to date > has been less than users do to themselves by error every day. is undoubtedly true, and those crashed hard disks have to be reloaded from someplace. Bill Cheswick ches@research.att.com
34AEJ7D@CMUVM.BITNET (W. K. (Bill) Gorman) (01/03/90)
>> 2. The press speculation about the DATACRIME virus was much more >> damaging than the virus. > >I don't think so. I wonder how much such media slobbering tended to encourage subsequent atrocities, such as the AIDS diskette? Quite a bit, I suspect.
ras@rayssdb.ssd.ray.com (Ralph A. Shaw) (01/05/90)
Nagle@cup.portal.com says: > - A FAX message is a bitstream interpreted by an interpreter at > the receving end. Could it be induced to do something interesting > through the use of illegal bit patterns? Group III is probably too > simple to be attacked, but group IV? Imagine a message which > causes a FAX machine to send an extra copy of transmitted documents > to another location. Something that has come to the attention of security paranoids here lately is that some manufacturers of PC FAX boards have added a feature that allows the FAX modem to be used as a bisync modem to communicate with the PC directly, rather than transmitting just FAXes. I assume the PC would have to be running some software to enable it and reassign the console (requiring local intervention), but a networked PC could then prove to be a leak onto the corporate network, (or at least, for handy distribution of the Trojan-of-the-month program). Added to this is the promise that at least one FAXboard vendor promises that both async and bisync modem capability will be available in the future. I don't have the details of which boards provide this "feature", or of what functionality is really there via this inboard modem and accompanying software, but will pass on any other details I can ferret out. - -- Ralph Shaw ras@rayssd.ray.com
kelly@uts.amdahl.com (Kelly Goen) (01/06/90)
ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes: >Nagle@cup.portal.com says: > >> - A FAX message is a bitstream interpreted by an interpreter at >> the receving end. Could it be induced to do something interesting >> through the use of illegal bit patterns? Group III is probably too >> simple to be attacked, but group IV? Imagine a message which >> causes a FAX machine to send an extra copy of transmitted documents >> to another location. > >Something that has come to the attention of security paranoids here >lately is that some manufacturers of PC FAX boards have added a >feature that allows the FAX modem to be used as a bisync modem to >communicate with the PC directly, rather than transmitting just FAXes. > >I assume the PC would have to be running some software to enable it >and reassign the console (requiring local intervention), but a >networked PC could then prove to be a leak onto the corporate network, >(or at least, for handy distribution of the Trojan-of-the-month program). >Added to this is the promise that at least one FAXboard vendor >promises that both async and bisync modem capability will be available >in the future. - -I would have clipped more of this but this is a complex subject that merited serious consideration unlike the infamous modem virus scare of 1988.... actually while a receiving process has to be available on the machine to be infected(i.e. either the legitimate file transfer program or a masquerading process using this as a means to load further extensions of itself)...the important point to remember here is that g-3 and g-4 fax formats are from what some of techs have told me on alt.fax are internally, modified dialects of HDLC so in this case it is possible that a sufficiently sophisticated infectious process could use this as a pipeline to load further updates to code... (i.e. new ways to defeat anti-viral nostrums) I will post ISBN numbers on the protocol definitions when they finally arrive...as to whether this is a probable scenario... who knows cheers kelly p.s. AS I dont want to cause anyone unecessary worry let me remind all once again that a receiving process HAS to be on the receiving machine if it is not the legitimate File XFER program then it is illegitimate in any case....the point that I am trying to clarify that while an infectious process could use this as a conduit to an ALREADY EXISTING infected host... unless there is a way to force execution of the received code then your virus will lay dormant(i.e.nonexecutable) because of some fax type file extension on msdos...typically something like .FAX .PIC .PCX etc....get the picture??? on *nix type systems the problems faced by the theoretical COMPUTER/FAX-MODEM infectious process are simpler in some ways but require even more cooperation from receiving processes...
woody@rpp386.cactus.org (Woodrow Baker) (01/07/90)
Nagle@cup.portal.com says: > - A FAX message is a bitstream interpreted by an interpreter at > the receving end. Could it be induced to do something interesting > through the use of illegal bit patterns? Now that hard disks are available on Postscript printers, We have another problem.. It is concievable to embed a virus, or a trojan in a font. If the font were encrypted, it would be mighty hard to hunt the virus down. It could convievably alter fonts on the hard disk, screw up font chache images, and or plain crash the hard disk. It would, however be difficult for it to infect other systems, unless one retrieves a contaminated file and sends it to another laser printer. The potential for abuse also exists in prolouges. I have not seen or heard of one yet, but now is the time to give some thought to how to prevent them BEFORE they start getting out of hand. Cheers Woody p.s. Some of the new VIDEO cypherrs are viruses of a sort. They play with the signal to screw-up VCR's. Messing with the Automatic Gain control among other things. If some one manages to overcome them, and make a copy of the tape, the messed up signal could sort of take on viral properties, though they would not do any damage.
geof@aurora.com (Geoffrey H. Cooper) (01/09/90)
ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes: >Nagle@cup.portal.com says: > >> - A FAX message is a bitstream interpreted by an interpreter at >> the receving end. Could it be induced to do something interesting >> through the use of illegal bit patterns? One annoying thing you can do is to spew out paper from the remote fax. The protocol allows the paper length to be anything up to (i think) 65K lines or so, so you could spew out 25' of paper at a time, finishing the receiver's roll of paper and so rendering it useless. Note that it doesn't take much time to transmit this image, if it is toally white or black. - - Geof - -- geof@aurora.com / aurora!geof@decwrl.dec.com / geof%aurora.com@decwrl.dec.com