IA96@PACE.BITNET (IA96000) (12/18/89)
I have been asked to pass this message along to VIRUS-L and VALERT-L by the fine people at SWE who have been hard at work researching the AIDS problem. I pass this message along unmodified exactly as it was received from SWE. AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989 First, let us say for the record that everything reported so far by Mr. McAfee is correct. Our tests bear out the results he has obtained. Having followed the messages and updates so far, and after conducting extensive tests, SWE has no doubt that there is more than one version of the "trojan" disk in circulation. In certain aspects, the two AIDS "trojan" disks we are testing act differently. One has a counter in it and one activates on the first re-boot! SWE has been working 24 hours a day since we received a copies of the AIDS disks. Let me clarify that statement. We did not receive these in the mail directly from the "trojan" authors. We received our copies from two of our clients. The suspicion that some form of encryption is being used is accurate. The versions of the disks we tested checks the following criteria: 1) The version of DOS in use. Both major and minor numbers are used. The major number would be 3 and the minor number would .30 in DOS version 3.30. 2) The file length, date and time stamp of certain files are checked. 3) The amount of total disk space and free disk space are checked. These three items are then combined and processed into the "initial" encryption key. A form of public key encryption is then used to perform the actual encryption. This was determined by the brute force decryption method. SWE has several 80486's and access to a VAX and they were put to work decrypting the files. It was made easier by the fact that the original contents of the test disk were known. One nasty little trick the AIDS "trojan" uses is that after each file is encrypted the encryption key is modified slightly. Fortunately, the authors did not use a long encryption key. Files encrypted using the public key protocol become harder to decipher as the length of the encryption key increases. Government studies indicate that a file encrypted using this protocol, with a 200 digit key could take as long as ten (10) years to decrypt, if you devoted a CRAY exclusively to the problem! SWE first suspected and tested for the public key encryption method for several reasons. The major reason was the lack of access people outside of the United States would have to the DES encryption formula. For those not aware, the U.S. Government guards the DES formula, and software which makes use of this formula may not be exported out of the United States. Should it turn out that the DES formula was also used, the authors of the AIDS "trojan", could possibly be prosecuted under United States statutes pertaining to national security. The second reason deals with the DES encryption method. Students of cryptology are well aware that the DES formula has been considered vulnerable for some time now. It is also a well know fact that DES specific processors have been produced, which make "cracking" a DES encrypted file much easier than the public key method. The DES method also limits to a greater degree the length of the encryption key. Combining these two reasons along with the extraordinary expense the authors of the AIDS "trojan" went to, we guessed that they would also use a "first class" encryption method. It also makes sense from another point of view. Since the "trojan" authors have gone to great care and expense, it seems prudent they would not want to use an encryption method which could easily be copied and distributed as a "master" cure all. Public key encryption is perfect in this regard. Many different versions of DOS are now in use, and depending upon the version of DOS in use and other factors the "trojan" checks for, the decryption methods which must be used will vary for different "trashed" disks. This is not to say that other copies of the AIDS "trojan" will use this same encryption method, or create the encryption keys in the same manner. That is yet to be determined! Once we were able to decipher one file, it was a relatively simple matter to decipher the rest. We have been able to completely restore a disk trashed by the version of AIDS "trojan". SWE went about this research in a different manner than everyone else. We have not reverse engineered the "trojans" to any great extent, nor do we plan to do so. This is best left to Mr. McAfee and the other experts. It is our considered opinion that Quick Basic along with several machine language modules were used to develop these "trojans". Reverse engineering a Quick Basic program along with the libraries included at link time produces huge amounts of code. As far as releasing the "fixes", not enough is yet known by SWE to be able to provide a substantial program. We need more information about how many versions of the AIDS "trojan" are in circulation, as well as samples of these for study. SWE has no intention of publicly releasing a "fix" at this time or in the future. It is our opinion that the best course SWE can take is to share our knowledge with others who have the knowledge and experience to take what we learned and investigate further. To that end, SWE is willing to forget past differences with a specific company and share our files as well as the "fixes" and our knowledge on cryptology with them, for the good of the computing community. If they are interested, leave a public message on your BBS in the virus SIG. Some type of agreement can be reached if you are interested in doing so! The opinions and statements expressed herein are those of SWE. These are based on research done on two copies of the AIDS "trojan" disk we have tested. Findings produced by other people working on this problem may agree, vary, or contradict our findings. So be it! SWE is not competing with anyone else working on this problem. We present this information solely to acquaint the computing community on the details we have discovered so far. The information contained in the message above was supplied by the people at SWE, who have postponed their vacation closing to conduct research into the AIDS problem. It is my opinion that everyone should band together on this one! The AIDS disk seems to be very complicated and it will probably take the combined knowledge of everyone working on this disaster to come up with a solution.
alonzo@uunet.uu.net (01/02/90)
> AIDS "TROJAN" DISK UPDATE - DECEMBER 17, 1989 > > First, let us say for the record that everything reported so far by > Mr. McAfee is correct. Our tests bear out the results he has obtained. > > A form of public key encryption is then used to perform the actual > encryption. This was determined by the brute force decryption method. > SWE has several 80486's and access to a VAX and they were put to work > decrypting the files. It was made easier by the fact that the original > contents of the test disk were known. One nasty little trick the AIDS > "trojan" uses is that after each file is encrypted the encryption key > is modified slightly. Can either of you shed some light on the above message? It contains serious contradictions with both itself and the statements of Mr. McAfee with whom it purports to agree. The comments about DES and public key encryption contained in the above message are extremely confused. All indication is that the AIDS trojan does simple substitutions on file names. The above message claims that the entire disk is encrypted with a public key encryption scheme. My conclusion is that this message was not posted in good faith. The last thing anyone needs is this kind of purposeful misinformation. This conclusion is supported by the claim that the so-called SWE company has moved and "returned" their sample disks to the owners. By associating yourselves with this nonsense, you have seriously impaired your reputations. sincerely, Alonzo Gariepy alonzo@microsoft