tneff@bfmny0.BFM.COM (Tom Neff) (09/28/90)
It's true that freely exchanged executable binaries are a terrific
virus/Trojan vector. This is a lesson people in the PC world (well,
SOME people) learned a long time ago. The apparent convenience of
pre-compilation is so alluring that it obscures the risks.
That's one reason why distributing most binaries via Usenet news is a
sucky idea. But nobody is acting very worried about the burgeoning
trade in anon-FTP binaries. Personally I wouldn't touch anything
UPLOADED to an FTP site by some other anonymous user. I wouldn't worry
so much about using stuff which the original author, or his responsible
representative, makes available at a primary distribution site --
because there is some implicit accountability.
However, forgeries and FTP hacking are possible and people should
exercise vigilance, even within their own sites. Suppose I uploaded a
Trojan horse program (which masqueraded as graphic shuttle tracking
software) to some NASA site and then forged a Usenet announcement
telling everyone this wonderful new program was available for FTP.
Almost nobody would question the bona fides of either the article or the
program. The program could propagate widely and wreak havoc, and
tracing me would be a fair piece of work.
It'll probably take a couple of real nasty incidents (don't look at me!)
to wise people up. It did in the PC world.
--
To exit -- [__] Tom Neff
press <Enter>. [__] tneff@bfmny0.BFM.COMpeter@ficc.ferranti.com (Peter da Silva) (09/30/90)
Looks like it's time for this again. It was first published just a few weeks before the Internet Worm struck, and people still haven't learned: The Usenet virus: a case history. A cautionary tale. The Usenet virus was detected when a user discovered that a program he had received from the net seemed to have two versions of malloc included with the source. One version of malloc might be odd, but people have never tired of reinventing the wheel. Two versions were suspicious, particularly since they lead to a name conflict when the program was linked. The first, lmalloc.c, seemed to be identical to the malloc listed in Kernighan and Ritchie. The second, bmalloc.c, was rather strange, so we concentrated our efforts on it... this time was later found to have been wasted. After a little work during spare moments over the course of a week we decided it was actually a clumsy version of the buddy system (a fast but space-inefficient method of memory allocation). It might make a good example of how not to write readable code in some textbook, but it wasn't anything to get worried about. Back to the first. It made use of a routine named speedhack() that was called before sbrk() the first time the malloc() was called. There was a file speedhack.c, but it didn't contain any code at all, just a comment saying that it would be implemented in a future version. After some further digging, speedhack was found at the end of main.c. The name was disguised by some clever #defines, so it never showed up in tags and couldn't be found just by grepping the source. This program turned out to be a slow virus. When it was run, it looked for a file 'lmalloc.c'. If it found it, or it didn't find Makefile, it returned. From then on malloc ran normally. If it didn't find it, it reconstructed it using a series of other routines with innocuous names tagged on to the end of other files. This was apparently an attempt to avoid overly increasing the size of any one of the files in the directory. Then it went into Makefile or makefile (it looked for both) and added lmalloc.o onto the end of the first list of '.o' files it found. It then reconstructed each of the extra routines, and speedhack itself, using techniques familiar to any reader of the obfuscated 'C' contest. These were tagged onto the ends of the '.c' files that corresponded to the '.o' files in this same list. The program was now primed to reconstruct the virus. On inspection, we discovered that about 40% of the sources on our system were infected by the speedhack virus, We also found it in one set of shell archives that we'd received but never unpacked or used, which we took as evidence that it had spread to a number of other systems. We have no idea how our system was infected. Given the frequency with which we make modifications and updates, it's likely that the original speedhacked code is no longer on the system. We urge you to inspect your programs for this virus in an attempt to track it to its source. It almost slipped by us... if the author had actually put a dummy speedhack in speedhack.c we would have merely taken lmalloc.o out of the Makefile and defused *this* copy of the virus without being any the wiser. There are other failings in this program that we have thought of. We have decided not to describe them to avoid giving the author of this program ideas we might regret. Some ways that programs like this can be defeated include 'crc' checks of source files and, of course, careful examination of sources received from insecure sites. ----- Now I have to make a confession. This whole document is a hoax intended to dramatize the problems involved with viruses and Usenet. I suspect that most of you were clued to this by the Keywords line. While playing with the idea and writing this article several things occurred to me: First of all, this virus is a much more complex program than any of the viruses that have been spotted on personal computers. I think it has to be, based on the design goals that a REAL UNIX virus must satisfy. I have not attempted to actually implement it because of this. It must be small, to avoid detection. It must not cause files to grow without bound. It must infect foreign files, otherwise it's not a virus... just a Trojan Horse (like the bogus ARC and FLAG programs on the PC). Trojan horses are a dime-a-dozen. It must infect source files, since this is the primary software distribution channel for UNIX. A virus stuck on one machine is a boring one. It must not break the infected program (other than what it might care to do deliberately). It must not be obvious from a simple examination of the source (like, changing main to Main and having a virus-main call Main). I believe that given these goals (which are, of course, subject to debate) a simpler program would be successful in infesting more than a small fraction of the machines that (say) comp.sources.misc reaches. There are systems immune to this particular attack, of course. Ones not running UNIX, so sbrk() doesn't work. Or ones with radically different versions of malloc(). Ones with no 'c' compiler. They are in the minority, though. On the other hand a virus of this type could infest a large proportion of the net before it was found. The virus I described does not cause any direct damage, except for using up a relatively small amount of disk space. A more vicious virus is possible. Other variations of this virus are obviously possible. For example, it could be tagged onto any standard 'C' library routine... I chose malloc merely because source was available and because it's something that people complain about, so they wouldn't be likely to find an extra copy suspicious. Another good routine would be perror(), for the same reason. This would have the additional benefit of making the spread of the infection dependent on an additional random factor, making it harder to detect the virus. Do I think something like this is likely? No. Especially not now that I've written this little piece of science fiction. I'm sure that eventually someone will try something unlike this, I suspect that their virus would get caught much sooner than 'speedhack', because I think that more people look at the source than conventional wisdom would lead you to believe. But, again, this is just my personal opinion. Debate is welcomed... that's why I did this in the first place: to inject some sense into the debate currently raging in comp.sys.amiga. -- Peter da Silva. `-_-' +1 713 274 5180. 'U` peter@ferranti.com
ralph@laas.fr (Ralph P. Sobek) (10/29/90)
In article <1548@atlas.tegra.COM> vail@tegra.COM (Johnathan Vail) writes: | | Two years ago when I was working at DG it was still in AOS. Typing | `xyzzy' at the prompt returned "Nothing happens". It's amazing that pieces of the the old `adventure' game are floating around in OS's! In the Adventure dungeon, if you typed `xyzzy' at some inappropriate moment, the game would respond with `Nothing happens'! -- Ralph P. Sobek Disclaimer: The above ruminations are my own. ralph@laas.fr Addresses are ordered by importance. ralph@laas.uucp, or ...!uunet!laas!ralph If all else fails, try: sobek@eclair.Berkeley.EDU =============================================================================== Reliable software should kill people reliably! -Andy Mickel, Pascal News #13,78
jbayer@ispi.COM (Jonathan Bayer) (11/11/90)
ralph@laas.fr (Ralph P. Sobek) writes: >In article <1548@atlas.tegra.COM> vail@tegra.COM (Johnathan Vail) writes: >| >| Two years ago when I was working at DG it was still in AOS. Typing >| `xyzzy' at the prompt returned "Nothing happens". >It's amazing that pieces of the the old `adventure' game are floating >around in OS's! In the Adventure dungeon, if you typed `xyzzy' at >some inappropriate moment, the game would respond with `Nothing >happens'! Add the following to the /bin directory, and it would then be in your system: main() { printf("Nothing happens\n"); } :-) JB -- Jonathan Bayer Intelligent Software Products, Inc. (201) 245-5922 500 Oakwood Ave. jbayer@ispi.COM Roselle Park, NJ 07204
trev@hubcap.clemson.edu (Trevor Bauknight) (11/13/90)
In article <RALPH.90Oct29162415@orion.laas.fr>, ralph@laas.fr (Ralph P. Sobek) writes: > | Two years ago when I was working at DG it was still in AOS. Typing > | `xyzzy' at the prompt returned "Nothing happens". > > It's amazing that pieces of the the old `adventure' game are floating > around in OS's! In the Adventure dungeon, if you typed `xyzzy' at > some inappropriate moment, the game would respond with `Nothing > happens'! In Zork I, I tried typing "xyzzy" and the program responded: "Fool." I just got subscribed to this group, and it's quite interesting. I own and operate a TeleVideo 803 CP/M machine which I've had since it was new... all I've ever done is change the oil and filters...excellent machine... makes a great terminal now. -- --------------- Trevor Zion Bauknight | _> ### | trev@hubcap.clemson.edu | | | --------------- "If it keeps on raining, the levee's going to break..."
smsmith@hpuxa.ircc.ohio-state.edu (Stephen M. Smith) (11/13/90)
Jon <vector0!jon@sactoh0.SAC.CA.US> asks: > Yeah, but when *is* something going to happen? I've played Adventure >before, but I don't know what you could do on the system to make 'xyzzy' >work... This is the procedure to follow: 1) Go to the business office across the street. 2) Log onto their system. 3) Tie into your own system over the net using your logon procedure. 4) Enter 'xyzzy'. 5) You are then transported back to your office. -ss
bigm@batserver.cs.uq.oz.au (Michael Pilling (The phantom of the Milk Bar)) (11/13/90)
ralph@laas.fr (Ralph P. Sobek) writes: >In article <1548@atlas.tegra.COM> vail@tegra.COM (Johnathan Vail) writes: >| >| Two years ago when I was working at DG it was still in AOS. Typing >| `xyzzy' at the prompt returned "Nothing happens". >It's amazing that pieces of the the old `adventure' game are floating >around in OS's! In the Adventure dungeon, if you typed `xyzzy' at >some inappropriate moment, the game would respond with `Nothing >happens'! It's probably still there too! DG did such a good job of simulating 16 bit AOS in 32 bit AOS/VS with call translation within the agent that it never really bothered rewritting most of the CLI, but left it in 16 bit assembler. Strangely enough, xyzzy was a very useful command for debugging and a safe way of putting in a must fill this code in reminder. Also, xyzzy was implemented somewhere outside the general parser, as if you give it any arguments or switches it returns the error NOT A COMMAND OR MACRO unlike all other builtins which will say UNKNOWN SWITCH or UNEXPECTED ARGUMENT. Michael -- _--_|\ Michael John Pilling, bigm@batserver.cs.uq.oz.au / \ Computer Science Department, She was pregnant and, unfortunately, \_.--._/ University of Queensland, the serious bruise to her back v Queensland, 4072 Australia. prompted her to abort.[Daily Sun]
ralph@laas.fr (Ralph P. Sobek) (11/13/90)
I tried to reply to jon but his posting didn't leave neither a From: nor Reply-To: header. Shame! Shame! If my memory serves well, xyzzy worked in the room where you heard PLUGH or some such. -- Ralph P. Sobek Disclaimer: The above ruminations are my own. ralph@laas.fr Addresses are ordered by importance. ralph@laas.uucp, or ...!uunet!laas!ralph If all else fails, try: sobek@eclair.Berkeley.EDU =============================================================================== Reliable software should kill people reliably! -Andy Mickel, Pascal News #13,78
zane@ddsw1.MCS.COM (Sameer Parekh) (11/14/90)
What IS xyzzy?
Does it have some acronymical significance?
What is Adventure? (I am young, bear with me)
--
zane@ddsw1.MCS.COM
toma@tekgvs.LABS.TEK.COM (Tom Almy) (11/15/90)
In article <RALPH.90Nov13152815@orion.laas.fr> ralph@laas.fr writes: >I tried to reply to jon but his posting didn't leave neither a From: >nor Reply-To: header. Shame! Shame! >If my memory serves well, xyzzy worked in the room where you heard >PLUGH or some such. Well, no, but close: 1. XYZZY would take you from the well house (on the surface) to the debris room (the one with the rod). And visa versa. 2. PLUGH would take you from the well house to the Y2 room, and visa versa. 3. Y2 would take you from the east end of the Hall of Mists to the Rock Jumble and from there to the Y2 room. 4. PLOVER would take you from the Plover room to the Y2 room, and visa versa. 5. SECRET would take you to the Secret Tight Canyon from the Hall of the Mountain King. 6. BEDQUILT would take you to Bedquilt from the Large Low Room. 7. ORIENTAL would take you to the Oriental Room from any adjacient room. 8. SLAB would take you to the slab room from Bedquilt. 9. CANYON would take you to the Tall E/W canyon from the Swiss Cheeze room 10. CAVERN would take you to the Misty cavern from the Oriental Room or the Alcove. Is that enough secret motion words? Tom Almy toma@tekgvs.labs.tek.com Standard Disclaimers Apply
pms@vicorp.com (Peter Shirley) (11/15/90)
Not sure what this discussion is doing in alt.sources.d, but . . . In the versions of Adventure I've played, xyzzy gets you from the well house to . . . let's see now, is it the cobble crawl? Some place a few (i.e. two or three) moves inside the cave, anyway. It'll get you from that location back to the well house, too. Plugh is another story, as is plover. -Peter
whos@ddsw1.MCS.COM (Ben Feen) (11/16/90)
In article <1990Nov13.235831.1451@ddsw1.MCS.COM> zane@ddsw1.MCS.COM (Sameer Parekh) writes: > >What IS xyzzy? > Does it have some acronymical significance? >What is Adventure? (I am young, bear with me) Adventure is the ancestor of all modern Infocom-type text adventures. XYZZY was a magic word from the game. -- whos@ddsw1.MCS.COM | I don't know, who's at DDSW1? | whos@ddsw1.MCS.COM! I asked YOU who's at DDSW1! Ok, there's a guy at DDSW1, right? | Right! Who? | Exactly! | What? | No, he's at lll-winken. | Where? | No, What! | I don't know! | He's at gargoyle. | Who? | No, he's at DDSW1.MCS.COM!
eps@rieska.oulu.fi (Erkka Sutinen) (11/20/90)
In article <1990Nov13.235831.1451@ddsw1.MCS.COM> zane@ddsw1.MCS.COM (Sameer Parekh) writes: > >What is Adventure? (I am young, bear with me) >zane@ddsw1.MCS.COM I don't stand this........ I mean... I'm 21, and these make me feel myself so old...... *sight* So I'd suggest new newsgroup: alt.gap.between.generations and #define generation ~ 1 year *sight* and it feels like yesterday.............. ==============================# Olet saastaa kerran sin{kin, samanlainen Erkka Pietari Sutinen # kuin kammottava haaska tuo, INTERNET: eps@tolsun.oulu.fi # Sin{ silm{ini t{hti, aurinko loistavainen EARN/BITNET: TKOP-EPS AT FINOU# sin{ enkelini ja himoni vuo...-Baudelaire -- ==============================# Olet saastaa kerran sin{kin, samanlainen Erkka Pietari Sutinen # kuin kammottava haaska tuo, INTERNET: eps@tolsun.oulu.fi # Sin{ silm{ini t{hti, aurinko loistavainen EARN/BITNET: TKOP-EPS AT FINOU# sin{ enkelini ja himoni vuo...-Baudelaire
greywolf@unisoft.UUCP (The Grey Wolf) (11/21/90)
In article <8428@tekgvs.LABS.TEK.COM> toma@tekgvs.LABS.TEK.COM (Tom Almy) writes: > >4. PLOVER would take you from the Plover room to the Y2 room, and visa versa. This is going to be a really dense question (not stupid, because no question to which the answer is not known qualifies as a stupid question!), but Can someone explain further the historical meaning of PLOVER? We nicknamed our pyramid "plover" on one ethernet board (the other one is "cheops", which I understand (it's a pyramid in egypt somewhere...)). > >Tom Almy >toma@tekgvs.labs.tek.com >Standard Disclaimers Apply advTHAaNKXnce -- "This is *not* going to work!" "Well, why didn't you say so before?" "I *did* say so before!" ...!{ucbvax,acad,uunet,amdahl,pyramid}!unisoft!greywolf
xanthian@zorch.SF-Bay.ORG (Kent Paul Dolan) (11/24/90)
greywolf@unisoft.UUCP (The Grey Wolf) writes: > toma@tekgvs.LABS.TEK.COM (Tom Almy) writes: >> 4. PLOVER would take you from the Plover room to the Y2 room, and >> visa versa. > This is going to be a really dense question (not stupid, because no > question to which the answer is not known qualifies as a stupid > question!), but > Can someone explain further the historical meaning of PLOVER? We > nicknamed our pyramid "plover" on one ethernet board (the other one is > "cheops", which I understand (it's a pyramid in egypt somewhere...)). Well, a plover is a stilt legged shore bird, but I suspect the choice goes back to a mildly off color joke that was current in that era: To set the scene, just remember that essentially _any_ reference to generative organs was worth a smirk, and that _all_ unmarried women were Unsullied Virgins, back in the Ed Sullivan era. Scene: modest party featuring the Jocks of the era and their Bright Young Thing dates. Jock, reading dictionary: "It says here that the male testicle is about the size and shape of a plover's egg." Bright Young Thing: "Oh, that's great! Now we all know how big a plover's egg is!" Kent, the man from xanth. <xanthian@Zorch.SF-Bay.ORG> <xanthian@well.sf.ca.us> -- That is what passed for hilarious humor in the 1955-1965 era; really!