LUKEN@IBM1.CC.Lehigh.EDU (The Moderator Kenneth R. van Wyk) (05/12/89)
VIRUS-L Digest Friday, 12 May 1989 Volume 2 : Issue 113 Today's Topics: Re: "Insecure" INIT.... (Mac) InsecureINIT... (Mac) Invisibility as a defense mechanism... More on the SYS command (PC) / System complexity POSSIBLE NEW (MAC) ATTACK VIRUS Yet another virus? (Mac) The only good virus is a dead one SecureINIT - The last word (Mac) --------------------------------------------------------------------------- Date: Wed, 10 May 1989 16:17:24 CDT From: Werner Uhrig <werner@rascal.ics.UTEXAS.EDU> Subject: Re: "Insecure" INIT.... (Mac) RE: warnings regarding Secure-INIT after MASH looked at the initial version and found it so utterly flawed (even dangerous) I removed it from the public archives on RASCAL (but kept it in the MASH archives) we have since received version 1.5 and a confirmation from our SWISS member, Danny Schwendener, that the authors are "for real" and, generally, reputable people (i.e. no intentional destructive code), but I have decided to only make 1.5 available to MASHers and, until I hear something good about the thing, I will not make it public and recommend against it. Given the authors announcement that version 2.0 is going to be commercial, I suspect the authors called earlier versions release 1.x to get people to debug the thingy for them. dump it, I say. ------------------------------ Date: Wed, 10 May 89 22:14:52 EDT From: dmg@mwunix.mitre.org Subject: InsecureINIT... (Mac) I suppose it is reassuring that SecureINIT was indeed written by "reputable" people; I'm no longer worried that some of the people in DC have had a very clever and subtle virus infect their systems (or I should say I am far less worried about this possibility). I do find it disturbing that "reputable" authors would let the general public do their debugging for them. While consumer feedback can give authors valuable information, giving consumers a product that fails even the most rudimentary tests is a disgrace to those authors. Well, SAM should be on the shelves soon, and the beta testers I've spoken with are impressed with it. Let SecureINIT eat cake. Or SAM's dust as the case may be... David ------------------------------ Date: Wed, 10 May 89 22:27:22 EDT From: dmg@mwunix.mitre.org Subject: Invisibility as a defense mechanism... Recently, Frank O'Dwyer (FMODWYER@cs.tcd.ie) [Auth: Is there some way we can easily distinguish which net these addresses come off of?] questioned my assertion that making Macintosh INITs invisible is practical. Actually, I don't know. First off, I misspoke through a generalization. In order to fool a potential intruder as to the presence of Vaccine (which is not really an INIT, it is a cdev), I turned off the option that causes the Vaccine icon to be displayed at startup, and made the file invisible in the system folder. Vaccine still installs itself (I checked). Now whether this works for INITs, I honestly don't know. I'm also not sure what is gained by making something like Vaccine invisible, but it seems like an easy and cheap thing to do to enhance the security of a Mac. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: 11 May 1989, 08:54:17 EDT From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: More on the SYS command (PC) / System complexity > The SYS command will remove all floppy based boot viruses > and all HD based boot viruses except the Australian (Stoned). Make that "all HD based boot viruses *that we know of* except..." and I'll finally shut up! *8) There are probably other master-boot-record infectors out there lurking... (I know that's what you meant.) The only point I was really trying to make is that, for sites that don't have the CVIA's detailed toolkit or equivalent, relying completely on the SYS command to deal with a hard-disk boot virus isn't safe (as you point out). The larger point here, and it applies to all computers, not just PCs or micros in general, is that computing systems (even here in the primitive 1980's) are terribly complex things, and it's very easy to forget (or forget to mention) all the possible places a virus can get into. Something for both virus fighters and system designers to keep in mind! All sweetness and light, DC ------------------------------ Date: Thu, 11 May 89 08:15:11 PDT From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: POSSIBLE NEW (MAC) ATTACK VIRUS Info is a bit sketchy i would say. [Ed. A couple of "forwardings" deleted...] Original-Date: Tue, 9 May 1989 23:13-EDT Original-From: Michael.Mills@B.GP.CS.CMU.EDU i thought i'd try asking you first since you've been of great help to us in csd. a large local company has been afflicted with a macintosh virus over the past few days which apple claims to have never seen before. it evades cleanup with Disinfectant 1.1. it apparently affects the resource fork of various files in the system folder which disallows the system to access its pointers. the result is that you can't throw these away and the memory remains allocated. this beastie has also randomly destroyed various personal folders. they found no pattern in what was missing; they also found no new mysterious files. no other major clues. thanks, mike ------------------------------ Date: Thu, 11 May 89 15:26:48 PST From: Donna Reynolds <DR9021@UCSFVM.UCSF.EDU> Subject: Yet another virus? (Mac) The University of California, San Francisco Computer Center currently is experiencing a rash of virus-like problems, in particular when MacDraw is in use. The problems have suddenly appeared on three separate machines, each of which is running its own registered copy of MacDraw. We've run both Interferon and Virus Rx against these machines, and neither reports any problems. Still, problems exist. We don't know at this time whether these difficulties are virus-induced, but thought we'd query the net to see if anyone else has experienced similar problems. (We are cross-posting this notice to comp.sys.mac.) We are experiencing the symptoms listed below. Please note this is a cumulative symptoms list. No one machine currently is exhibiting *all* symptoms. Symptoms: System Errors 02 and 03 when loading and printing from MacDraw I and II On restart, a file named "EIYBSKJTNX" appears in the folder containing the MacDraw application. MacDraw file creation times converted to garbage characters MacDraw program malfunctions - for example, when using text tool to select text, the block of text actually selected is not that (and is quite distant from) the text we were attempting to select. MacDraw screen displays incomplete - for example, the elevator bars are missing. System re-install fails until MacDraw deleted from the disk. To repeat, these problems have shown up on three separate machines running three separate copies of MacDraw - all of which have been in use for a minimum of six months. Any suggestions? Our most sincere thanks for your time and attention. Donna Reynolds Senior Editor UCSF Computer Center BITNET: dr9021@ucsfvm INTERNET: dr9021@ucsfvm.ucsf.edu ------------------------------ Date: Thu, 11 May 89 23:49:56 pdt From: well!odawa@lll-winken.llnl.gov (Michael Odawa) Subject: The only good virus is a dead one In VIRUS-L 2-112, Allan Pratt mentioned the possibility of back door neutralizers and other methods of disarming a potentially "beneficial" virus which might unintentionally run amuck, contending, > you can deliberately code in an easy way to kill the thing, such as the > presence of a file with a certain name, or a certain magic number in a > cookie someplace in RAM. While these methods might be useful in containing the damage done by some experiment run wild, they are less than sufficient to justify intentional release of viral code, because in the event of bugs discovered after the code has been set loose, they do not restore us to the condition we were in prior to its release. Again, let me restate what should be obvious: Viral propagation is an extremely dangerous technique. We do not need intentional viruses running through the computing newtworks. We can protect ourselves adequately without them. Thus, again, The only good virus is a dead one. Michael Odawa Software Development Council odawa@well.uucp ------------------------------ Date: Thu, 11 May 89 04:16 GMT From: <SEKRETAR@CZHETH5A.BITNET> Subject: SecureINIT - The last word (Mac) I think I'll have to put my bit of salt at this point. I won't comment on the user interface or the (buggy) code. But I have the strong impression that some of the people out there think the code is purposefully malevolent. It isn't, but it is very delicate in the practical use. The purpose of SecureINIT is *not* to protect against viruses (which it doesn't anyway - against the claims of the authors), but to help out those poor guys in the universities who have to look after the public macs. Those of you who are in charge of student macs know that you don't get around reformatting all hard disks on a regular basis, because they get cluttered up with junk files, multiple system folders, etc. In small labs, performing this task once or twice per week can be considered as realistic, but in places like the ETH, where you have several rooms with hundreds of Macs, it becomes quite a burden. I have often thought about how great it would be to have a program which automatically cleans up the hard disks every evening, leaving it in the very same state as it was in the morning, removing the CDEV's, INIT's, applications and documents which have been left there by the students, replacing the current system by a fresh copy. SecureINIT is not a protection against malevolent actions on the student computers, as it is fairly easy to bypass the protections if you have some knowledge in Macintosh Resources. But it is a good garbage collector - well it will be in a future bug-free version, I hope. According to P. Guberan, the first version which was uploaded to CompuServe (1.3 I think) was a beta, although it rather looked like an alpha to me. One important thing to know is that SecureINIT is *NOT A PROTECTION AGAINST VIRUSES*. Installing the program on your public Macs is not sufficient to protect your people from getting infected. You still have to use one or a combination of the existant virus detection tools. A trap watcher (Gatekeeper, Vaccine) is fine, a trap watcher *and* a regular check with a disk browser (disinfectant, virus- detective) is better. One last thing - I am not related with the authors of the Program. I'm not even a test site. Due to my geographical vicinity, I was asked to contact them, and to clear the questions raised in MacMASH and on Virus-L. - -- Danny Schwendener - -- ETH Macintosh Support, ETH-Zentrum m/s PL, CH-8092 Zuerich - -- Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman - -- Ean : macman@ifi.ethz.ch Voice : yodel three times ------------------------------ End of VIRUS-L Digest *********************
LUKEN@IBM1.CC.LEHIGH.EDU ("The Moderator Kenneth R. van Wyk") (05/12/89)
VIRUS-L Digest Friday, 12 May 1989 Volume 2 : Issue 113 Today's Topics: Re: "Insecure" INIT.... (Mac) InsecureINIT... (Mac) Invisibility as a defense mechanism... More on the SYS command (PC) / System complexity POSSIBLE NEW (MAC) ATTACK VIRUS Yet another virus? (Mac) The only good virus is a dead one SecureINIT - The last word (Mac) --------------------------------------------------------------------------- Date: Wed, 10 May 1989 16:17:24 CDT From: Werner Uhrig <werner@rascal.ics.UTEXAS.EDU> Subject: Re: "Insecure" INIT.... (Mac) RE: warnings regarding Secure-INIT after MASH looked at the initial version and found it so utterly flawed (even dangerous) I removed it from the public archives on RASCAL (but kept it in the MASH archives) we have since received version 1.5 and a confirmation from our SWISS member, Danny Schwendener, that the authors are "for real" and, generally, reputable people (i.e. no intentional destructive code), but I have decided to only make 1.5 available to MASHers and, until I hear something good about the thing, I will not make it public and recommend against it. Given the authors announcement that version 2.0 is going to be commercial, I suspect the authors called earlier versions release 1.x to get people to debug the thingy for them. dump it, I say. ------------------------------ Date: Wed, 10 May 89 22:14:52 EDT From: dmg@mwunix.mitre.org Subject: InsecureINIT... (Mac) I suppose it is reassuring that SecureINIT was indeed written by "reputable" people; I'm no longer worried that some of the people in DC have had a very clever and subtle virus infect their systems (or I should say I am far less worried about this possibility). I do find it disturbing that "reputable" authors would let the general public do their debugging for them. While consumer feedback can give authors valuable information, giving consumers a product that fails even the most rudimentary tests is a disgrace to those authors. Well, SAM should be on the shelves soon, and the beta testers I've spoken with are impressed with it. Let SecureINIT eat cake. Or SAM's dust as the case may be... David ------------------------------ Date: Wed, 10 May 89 22:27:22 EDT From: dmg@mwunix.mitre.org Subject: Invisibility as a defense mechanism... Recently, Frank O'Dwyer (FMODWYER@cs.tcd.ie) ]Auth: Is there some way we can easily distinguish which net these addresses come off of?( questioned my assertion that making Macintosh INITs invisible is practical. Actually, I don't know. First off, I misspoke through a generalization. In order to fool a potential intruder as to the presence of Vaccine (which is not really an INIT, it is a cdev), I turned off the option that causes the Vaccine icon to be displayed at startup, and made the file invisible in the system folder. Vaccine still installs itself (I checked). Now whether this works for INITs, I honestly don't know. I'm also not sure what is gained by making something like Vaccine invisible, but it seems like an easy and cheap thing to do to enhance the security of a Mac. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: 11 May 1989, 08:54:17 EDT From: David M. Chess <CHESS@YKTVMV.BITNET> Subject: More on the SYS command (PC) / System complexity > The SYS command will remove all floppy based boot viruses > and all HD based boot viruses except the Australian (Stoned). Make that "all HD based boot viruses *that we know of* except..." and I'll finally shut up! *8) There are probably other master-boot-record infectors out there lurking... (I know that's what you meant.) The only point I was really trying to make is that, for sites that don't have the CVIA's detailed toolkit or equivalent, relying completely on the SYS command to deal with a hard-disk boot virus isn't safe (as you point out). The larger point here, and it applies to all computers, not just PCs or micros in general, is that computing systems (even here in the primitive 1980's) are terribly complex things, and it's very easy to forget (or forget to mention) all the possible places a virus can get into. Something for both virus fighters and system designers to keep in mind! All sweetness and light, DC ------------------------------ Date: Thu, 11 May 89 08:15:11 PDT From: rogers@marlin.nosc.mil (Rollo D. Rogers) Subject: POSSIBLE NEW (MAC) ATTACK VIRUS Info is a bit sketchy i would say. ]Ed. A couple of "forwardings" deleted...( Original-Date: Tue, 9 May 1989 23:13-EDT Original-From: Michael.Mills@B.GP.CS.CMU.EDU i thought i'd try asking you first since you've been of great help to us in csd. a large local company has been afflicted with a macintosh virus over the past few days which apple claims to have never seen before. it evades cleanup with Disinfectant 1.1. it apparently affects the resource fork of various files in the system folder which disallows the system to access its pointers. the result is that you can't throw these away and the memory remains allocated. this beastie has also randomly destroyed various personal folders. they found no pattern in what was missing; they also found no new mysterious files. no other major clues. thanks, mike ------------------------------ Date: Thu, 11 May 89 15:26:48 PST From: Donna Reynolds <DR9021@UCSFVM.UCSF.EDU> Subject: Yet another virus? (Mac) The University of California, San Francisco Computer Center currently is experiencing a rash of virus-like problems, in particular when MacDraw is in use. The problems have suddenly appeared on three separate machines, each of which is running its own registered copy of MacDraw. We've run both Interferon and Virus Rx against these machines, and neither reports any problems. Still, problems exist. We don't know at this time whether these difficulties are virus-induced, but thought we'd query the net to see if anyone else has experienced similar problems. (We are cross-posting this notice to comp.sys.mac.) We are experiencing the symptoms listed below. Please note this is a cumulative symptoms list. No one machine currently is exhibiting *all* symptoms. Symptoms: System Errors 02 and 03 when loading and printing from MacDraw I and II On restart, a file named "EIYBSKJTNX" appears in the folder containing the MacDraw application. MacDraw file creation times converted to garbage characters MacDraw program malfunctions - for example, when using text tool to select text, the block of text actually selected is not that (and is quite distant from) the text we were attempting to select. MacDraw screen displays incomplete - for example, the elevator bars are missing. System re-install fails until MacDraw deleted from the disk. To repeat, these problems have shown up on three separate machines running three separate copies of MacDraw - all of which have been in use for a minimum of six months. Any suggestions? Our most sincere thanks for your time and attention. Donna Reynolds Senior Editor UCSF Computer Center BITNET: dr9021@ucsfvm INTERNET: dr9021@ucsfvm.ucsf.edu ------------------------------ Date: Thu, 11 May 89 23:49:56 pdt From: well!odawa@lll-winken.llnl.gov (Michael Odawa) Subject: The only good virus is a dead one In VIRUS-L 2-112, Allan Pratt mentioned the possibility of back door neutralizers and other methods of disarming a potentially "beneficial" virus which might unintentionally run amuck, contending, > you can deliberately code in an easy way to kill the thing, such as the > presence of a file with a certain name, or a certain magic number in a > cookie someplace in RAM. While these methods might be useful in containing the damage done by some experiment run wild, they are less than sufficient to justify intentional release of viral code, because in the event of bugs discovered after the code has been set loose, they do not restore us to the condition we were in prior to its release. Again, let me restate what should be obvious: Viral propagation is an extremely dangerous technique. We do not need intentional viruses running through the computing newtworks. We can protect ourselves adequately without them. Thus, again, The only good virus is a dead one. Michael Odawa Software Development Council odawa@well.uucp ------------------------------ Date: Thu, 11 May 89 04:16 GMT From: <SEKRETAR@CZHETH5A.BITNET> Subject: SecureINIT - The last word (Mac) I think I'll have to put my bit of salt at this point. I won't comment on the user interface or the (buggy) code. But I have the strong impression that some of the people out there think the code is purposefully malevolent. It isn't, but it is very delicate in the practical use. The purpose of SecureINIT is *not* to protect against viruses (which it doesn't anyway - against the claims of the authors), but to help out those poor guys in the universities who have to look after the public macs. Those of you who are in charge of student macs know that you don't get around reformatting all hard disks on a regular basis, because they get cluttered up with junk files, multiple system folders, etc. In small labs, performing this task once or twice per week can be considered as realistic, but in places like the ETH, where you have several rooms with hundreds of Macs, it becomes quite a burden. I have often thought about how great it would be to have a program which automatically cleans up the hard disks every evening, leaving it in the very same state as it was in the morning, removing the CDEV's, INIT's, applications and documents which have been left there by the students, replacing the current system by a fresh copy. SecureINIT is not a protection against malevolent actions on the student computers, as it is fairly easy to bypass the protections if you have some knowledge in Macintosh Resources. But it is a good garbage collector - well it will be in a future bug-free version, I hope. According to P. Guberan, the first version which was uploaded to CompuServe (1.3 I think) was a beta, although it rather looked like an alpha to me. One important thing to know is that SecureINIT is *NOT A PROTECTION AGAINST VIRUSES*. Installing the program on your public Macs is not sufficient to protect your people from getting infected. You still have to use one or a combination of the existant virus detection tools. A trap watcher (Gatekeeper, Vaccine) is fine, a trap watcher *and* a regular check with a disk browser (disinfectant, virus- detective) is better. One last thing - I am not related with the authors of the Program. I'm not even a test site. Due to my geographical vicinity, I was asked to contact them, and to clear the questions raised in MacMASH and on Virus-L. - -- Danny Schwendener - -- ETH Macintosh Support, ETH-Zentrum m/s PL, CH-8092 Zuerich - -- Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman - -- Ean : macman@ifi.ethz.ch Voice : yodel three times ------------------------------ End of VIRUS-L Digest *********************