IA96@PACE.BITNET (IA96000) (12/18/89)
I have been asked to pass this message along to VIRUS-L and VALERT-L
by the fine people at SWE who have been hard at work researching the
AIDS problem. I pass this message along unmodified exactly as it was
received from SWE.
AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989
First, let us say for the record that everything reported so far by
Mr. McAfee is correct. Our tests bear out the results he has obtained.
Having followed the messages and updates so far, and after conducting
extensive tests, SWE has no doubt that there is more than one version
of the "trojan" disk in circulation. In certain aspects, the two AIDS
"trojan" disks we are testing act differently. One has a counter in it
and one activates on the first re-boot!
SWE has been working 24 hours a day since we received a copies of the
AIDS disks. Let me clarify that statement. We did not receive these in
the mail directly from the "trojan" authors. We received our copies
from two of our clients.
The suspicion that some form of encryption is being used is accurate.
The versions of the disks we tested checks the following criteria:
1) The version of DOS in use. Both major and minor numbers are used.
The major number would be 3 and the minor number would .30 in
DOS version 3.30.
2) The file length, date and time stamp of certain files are checked.
3) The amount of total disk space and free disk space are checked.
These three items are then combined and processed into the "initial"
encryption key.
A form of public key encryption is then used to perform the actual
encryption. This was determined by the brute force decryption method.
SWE has several 80486's and access to a VAX and they were put to work
decrypting the files. It was made easier by the fact that the original
contents of the test disk were known. One nasty little trick the AIDS
"trojan" uses is that after each file is encrypted the encryption key
is modified slightly.
Fortunately, the authors did not use a long encryption key. Files
encrypted using the public key protocol become harder to decipher as
the length of the encryption key increases. Government studies
indicate that a file encrypted using this protocol, with a 200 digit
key could take as long as ten (10) years to decrypt, if you devoted a
CRAY exclusively to the problem!
SWE first suspected and tested for the public key encryption method
for several reasons. The major reason was the lack of access people
outside of the United States would have to the DES encryption formula.
For those not aware, the U.S. Government guards the DES formula, and
software which makes use of this formula may not be exported out of
the United States. Should it turn out that the DES formula was also
used, the authors of the AIDS "trojan", could possibly be prosecuted
under United States statutes pertaining to national security.
The second reason deals with the DES encryption method. Students of
cryptology are well aware that the DES formula has been considered
vulnerable for some time now. It is also a well know fact that DES
specific processors have been produced, which make "cracking" a DES
encrypted file much easier than the public key method. The DES method
also limits to a greater degree the length of the encryption key.
Combining these two reasons along with the extraordinary expense the
authors of the AIDS "trojan" went to, we guessed that they would also
use a "first class" encryption method.
It also makes sense from another point of view. Since the "trojan"
authors have gone to great care and expense, it seems prudent they
would not want to use an encryption method which could easily be
copied and distributed as a "master" cure all. Public key encryption
is perfect in this regard. Many different versions of DOS are now
in use, and depending upon the version of DOS in use and other factors
the "trojan" checks for, the decryption methods which must be used
will vary for different "trashed" disks.
This is not to say that other copies of the AIDS "trojan" will use
this same encryption method, or create the encryption keys in the same
manner. That is yet to be determined!
Once we were able to decipher one file, it was a relatively simple
matter to decipher the rest. We have been able to completely restore a
disk trashed by the version of AIDS "trojan".
SWE went about this research in a different manner than everyone else.
We have not reverse engineered the "trojans" to any great extent, nor
do we plan to do so. This is best left to Mr. McAfee and the other
experts.
It is our considered opinion that Quick Basic along with several
machine language modules were used to develop these "trojans". Reverse
engineering a Quick Basic program along with the libraries included at
link time produces huge amounts of code.
As far as releasing the "fixes", not enough is yet known by SWE to be
able to provide a substantial program. We need more information about
how many versions of the AIDS "trojan" are in circulation, as well as
samples of these for study. SWE has no intention of publicly releasing
a "fix" at this time or in the future.
It is our opinion that the best course SWE can take is to share our
knowledge with others who have the knowledge and experience to take
what we learned and investigate further.
To that end, SWE is willing to forget past differences with a specific
company and share our files as well as the "fixes" and our knowledge
on cryptology with them, for the good of the computing community. If
they are interested, leave a public message on your BBS in the virus
SIG. Some type of agreement can be reached if you are interested in
doing so!
The opinions and statements expressed herein are those of SWE. These
are based on research done on two copies of the AIDS "trojan" disk we
have tested. Findings produced by other people working on this problem
may agree, vary, or contradict our findings. So be it! SWE is not
competing with anyone else working on this problem. We present this
information solely to acquaint the computing community on the details
we have discovered so far.
The information contained in the message above was supplied by the
people at SWE, who have postponed their vacation closing to conduct
research into the AIDS problem.
It is my opinion that everyone should band together on this one! The
AIDS disk seems to be very complicated and it will probably take the
combined knowledge of everyone working on this disaster to come up
with a solution.alonzo@uunet.uu.net (01/02/90)
> AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989 > > First, let us say for the record that everything reported so far by > Mr. McAfee is correct. Our tests bear out the results he has obtained. > > A form of public key encryption is then used to perform the actual > encryption. This was determined by the brute force decryption method. > SWE has several 80486's and access to a VAX and they were put to work > decrypting the files. It was made easier by the fact that the original > contents of the test disk were known. One nasty little trick the AIDS > "trojan" uses is that after each file is encrypted the encryption key > is modified slightly. Can either of you shed some light on the above message? It contains serious contradictions with both itself and the statements of Mr. McAfee with whom it purports to agree. The comments about DES and public key encryption contained in the above message are extremely confused. All indication is that the AIDS trojan does simple substitutions on file names. The above message claims that the entire disk is encrypted with a public key encryption scheme. My conclusion is that this message was not posted in good faith. The last thing anyone needs is this kind of purposeful misinformation. This conclusion is supported by the claim that the so-called SWE company has moved and "returned" their sample disks to the owners. By associating yourselves with this nonsense, you have seriously impaired your reputations. sincerely, Alonzo Gariepy alonzo@microsoft