VIRUS-L Digest Monday, 14 Nov 1988 Volume 1 : Issue 6 Today's Topics: Compute's Book of Computer Viruses Re: digesting ramifications Sharing the Blame Security Expert ? Digest truncating. Nov 3 virus Mail extract from UNIX-COMMS in UK... Digest form of VIRUS-L... Usefulness of VIRUS-L "worm" coverage Naming these nasties... Sending large chunks of RISKS digests... RE: More Virus Transcripts Wozniak/Cohen --------------------------------------------------------------------------- Date: FRI NOV 11, 1988 21.18.33 EST From: "David A. Bader" Subject: Compute's Book of Computer Viruses Has anyone read this book yet? I just got it; and as soon as I read it; I'll tell you what I think of it... -David Bader DAB3@LEHIGH ------------------------------ Date: Fri, 11 Nov 88 17:12:36 CST From: "Mark R. Williamson" Subject: Re: digesting >Date: Fri, 11 Nov 88 11:29:21 CST >From: Steven McClure >Subject: digesting > >digesting the list is in my opinion an idea whose time has come, but >it creates a problem. For some reason, all my mail messages are truncated >at 200 lines. Is there any way around this problem?? Mr. McClure, are you perhaps using the VM command PEEK to read the digest? By default, it only shows you the first 200 lines of any file in your reader. You can increase this number for a specific invocation of peek by including the "FOR nnn" option (to show nnn lines) or "FOR *" (to show them all, if you have the memory). You can also increase your personal default with the DEFAULTS command. (See the help for more information.) For example: PEEK 1234 (FOR 1000 or, from RDRLIST: PEEK / (FOR 1000 to set default: DEFAULTS SET PEEK FOR 1000 Mark R. Williamson, Rice University, Houston, TX; MARK@ICSA.RICE.EDU ------------------------------ Date: Fri, 11 Nov 88 16:29:12 EST From: "Homer W. Smith" Subject: ramifications I agree whole heartedly with Ken Van Wyk's analysis of the potential damage caused by the virus if people close down the networks to easy access. I live in Ithaca which is full of gorges in which we often go swimming. Most go skinny dipping so this practice is barely tolerated by the town at large [Ed. Ta dum dum :-)]. But the place we go is so far away deep into the woods that no one really cared. At one of the resevoirs there was a tree with a rope that kids would swing off a cliff out over the water. It was fun and scary but that is what childhood is about right? Two years ago some high school student (straight A's, head of his football team, never did wrong in his entire life) got very drunk and took a ride on that rope. He froze and swung back hitting the cliff stunning himself. He fell into the water and drowned. His parents sued the city for irresponsibility and so the city forbade swimming in the gorges and now patrol the place with police every summer. I was one of the first to be arrested for going there. This was a major loss to us who are used to the various assets of Ithaca. Although we feel sorry for this one kid, and his parents, many of us who otherwise would have behaved in a responsible manner at the gorege find it hard to find any sympathy for either of them as they have punished others for their own irresponsibility. What was this clean cut 'mothers' boy doing getting drunk? If people get too scared the networks will be shut down. Humans react in this way. That is why we must harness these destructive forces (bad hackers) for the good of the world before it is too late. I have been very close to the edge of being a bad hacker myself during my high school years and have stories to tell of shenanigans that caused IBM much eye brow raising. Boy do I wish someone had come along and said I was a useful person and put all that good energy to good use. I would have been as loyal as you please. In fact IBM did just that and I got meet all my idols, Kenneth Iverson among them. This was in 1969. Sometimes the people who are not trying to do damage, just trying to have some fun and scare the elders end up doing the most social damage. We must harness them on a nation wide basis before we all get harnessed in the impending panic. They would make a terrific force against the true terrorists and malicious pranksters that infiltrate our society. Fortuantely the more criminal you are, the less bright you are, so we have the edge. Homer ------------------------------ Date: Fri, 11 Nov 88 15:57:43 CST From: Scott Guthery Subject: Sharing the Blame If there's going to be some penalty hits passed out for the net virus, I'd say that the guy who programmed the hole and the system administrators who ignored AT&T's memo about the hole deserve as many -5's as Mr. Morris. In fact were I Mr. Morris' counselor (I'm not even an attorney) I'd certainly talk a lot about contributory negligence. System administrators who sue may get to share another experience with Mr. Morris. ------------------------------ Date: 11 Nov 88 19:55:00 EDT From: "HUNT, DOUG" Subject: Security Expert ? Well, I finally heard it the other night -- Ted Koppel, who I happen to think is one of the best interviewers in the popular media, had a program on the internet events, and (Wozniak's inane remarks aside) Koppel said something to the effect that if the culprit was not convicted he would certainly going to have a career in computer security. NUTS !!!! Making no assumptions as to the guilt or innocence of anyone (people ARE presumed innocent until proven guilty -- not the other way around) the continued practice of the computer industry and commercial/education/ government institutions in lionizing the reprehensible and unethical members of the discipline is astounding. We do not hire murders as police chiefs, and we do not hire embezzelers to guard the cash drawer. Whether the scope of damage was beyond that invisioned, I have NO USE WHATSOEVER for anyone who even considers to initiate such a program in which there is even the most remote possibility of damaging other's in data, stealing their private information, or denying them the use of their resources. The industry can do well without these folks! They are and should be treated as pariahs -- redemption of souls is the province of another disvcipline. The perpetrators of such malicious code have shown themselves to be untrustworthy, and lacking in ethical standards or common consideration for others, including their peers. There should be no place for them in the research, government, or commercial insitutions where they may someday wreak more havoc and will profit from their behavior and lack of moral character. FLAme off. Doug Hunt dhunt@ecf.icst.nbs.go The opinions expressed etc........ ------------------------------ Date: 12 November 1988, 16:24:06 ECT From: Stig Hemmer HEMMER at NORUNIT Subject: Digest truncating. We have had a 200 lines' problem here too. It was our mail-reader program PEEK that truncated the mail. Try receiving the digest and THEN read it. If it is untruncated, then there are some easy solutions: 1) Use another mail-reader e.g. LOOK 2) Tell your mail-reader to accept longer files. In the case of PEEK it is: DEFAULTS SET PEEK FOR * 3) Receive your mail before reading it. 4) If none of this works try asking a local guru. -Tortoise [Ed. We got quite a few of these PEEK related messages. I hope that's what the problem was for the people who were getting their mail truncated at 200 lines...] ------------------------------ Date: 12 November 1988, 18:17:24 ECT From: Stig Hemmer HEMMER at NORUNIT Subject: Nov 3 virus Well, lets ask ourselves what would have happened if the virus had been silent as intended: Somebody would find it and make it harmful. We have seen it before. NOBODY in their right minds should release a 'silent' virus. -Tortoise ------------------------------ Date: 13-NOV-1988 07:32:55 GMT From: PGM@VMS.BRIGHTON.AC.UK To: VIRUS-L@LEHIIBM1 Subject: Mail extract from UNIX-COMMS in UK... Sender: Peter_Morgan (Brighton Polytechnic Computer Centre) From: Syngen Brown 8-NOV-1988 19:42 Systems I checked: Ultrix 2.0 HLH (Orion) OTS v.2 SUN v.4 Gould UTX32 v.2 Original 4.2BSD from UCB Of the above, only Ultrix 2.0 had sendmail compiled without debug, and if I remember correctly, Ultrix 1.2 sendmail was compiled *with* debug. ------------------------------ Date: 13-NOV-1988 08:00:56 GMT From: PGM@VMS.BRIGHTON.AC.UK To: VIRUS-L@LEHIIBM1 Subject: Digest form of VIRUS-L... I'd asked colleagues in my department whether they were interested in receiving snippets from VIRUS-L, since we have seen one, and are tackling publicity at the moment. I was acting as a filter, rather than the local virus killer/expert, in that all I'd do would be forward appropriate msgs. Can I PLEAD with contributors to indicate "MAC" or "IBM" (or neither, when a message is related to more general reading) in the Subject line so that extracting pieces for other people is made a little easier? At present, I don't have an undigestify tool (except the editor) and my other experiences of Digests being considerably delayed was borne out by the five which appeared yesterday, in order 3/4/5/2/1, mingled with other msgs, inc the ASCII junk (yes, I'm not totally against a Digest). I'll see what can be done to that nuisance mail person from UK - suggesting the SysMgr changes his p/w, logs in as him, and sends a SIGNOFF * to find out what else he has been subscribed to! - --end-- ------------------------------ Date: 13-NOV-1988 07:30:11 GMT From: PGM@VMS.BRIGHTON.AC.UK To: VIRUS-L@LEHIIBM1 Subject: Usefulness of VIRUS-L "worm" coverage Dear Ken, you asked about how helpful VIRUS-L was for sites hit...[not us] In the UK, I'm a subscriber to a few lists, and set up a local distribution mechanism for the more popular ones (INFO-VAX, VAXVMS) and I scan the text before I delete it [don't trust fully automated deletions]. VIRUS-L was the first source (for me) about the Internet worm. I don't read ANY daily newspapers, and hadn't heard radio or TV news about it. That was on Friday 4 Nov @ 21:00 GMT. I checked the UK's SUN mail list, and another list called UNIX-COMMS [ZERO! we aren't on any other Unix list (or USENET/News)] There were pictures from USA on 5th Nov TV News, and comments on radio. Since I expected few people to be at work Sat/Sun, and there was potential for students to find out about the mechanism before Monday, I posted an offer to the UNIX-COMMS list to pass info upon request [so any users on lists WITH info would not curse me, and since the list is quite strictly "about OSI ideas and problems", so I [=site] wouldn't be removed by some administrator]. Monday I received around 10 requests for more information. Follow-up comments: "Many thanks, less than 30 mins after I mailed for help our University Accountant was expressing his panic to Xxxx Xxxxx (Director and Boss)!" "Thanks for passing on the (very interesting) details. Alan." "Many thanks for sending this stuff on." - --end-- ------------------------------ Date: 13-NOV-1988 08:14:38 GMT From: PGM@VMS.BRIGHTON.AC.UK To: VIRUS-L@LEHIIBM1 Subject: Naming these nasties... I know some things ("Brain" and "nVir") have been named, but can I suggest others be called -- Someone listed a number of classes (Virus, Worm, Bacterium + ) so how about a file on LISTSERV@LEHIIBM1 called VIRAL CLASSES and an index as VIRAL INDEX ? -- eg MAC-B-01 or IBM-W-03 could be identifiers for "unnamed" things, such as the one which was tagged "Norton virus" because it was found on a Norton Commander disk... That "tag" is misleading, since it could move to and it appears to be a "new" one! If someone has already built an index of the known worms/virii, could they please let me know. Please don't tell me to pull the log files and edit them. What I'm looking for is a name, machine (& O/S if specific), any description of the effects, a means of identifying this attacker, any known cures, any detection methods that work, and detection methods that fail. - --end-- ------------------------------ Date: 13-NOV-1988 08:38:53 GMT From: PGM@VMS.BRIGHTON.AC.UK To: VIRUS-L@LEHIIBM1 Subject: Sending large chunks of RISKS digests... Whilst I found the extracts from the RISKS Digests of interest, I do feel that cutting (large) chunks from one digest and placing them in another can be bad, if the original digest is stored on LISTSERVers for a week or more. My personal preference would be (a) to have lengthy messages near the end of a digest, rather than the beginning, and (b) to put a precis of an article in the digest, when it is an extract from another [say 3-8 lines]. The latter would allow those who are already subscribers to skip a paragraph without having several screens of text they've already received, and let those *who feel it important enough* to get it from the nearest LISTSERVer. They, in turn, might find other topics they want to follow, and if they subscribed to a different list, would benefit from just a paragraph to read instead of lengthy extracts. I've cut the list below and you can see there are two RISKS handlers on this side of the Atlantic (FINHUTC and IRLEARN) and a number elsewhere. Cutting to a paragraph would let VIRUS-L Digest get through faster, too! USER$DISK_2:[COMPUTER_CENTRE.PGM]BITNET.GLOBAL-LISTS;1 RISKS MD4H@CMUCCVMA (Peered) Risks List RISKS@FINHUTC (Peered) Risks in the use of computer systems RISKS@MARIST (Peered) Risks List RISKS@UBVM (Peered) Risks List RISKS@UGA (Peered) Risks List RISKS-L RISKS-L@IRLEARN Discussion of Risks to Public in the Use of C - --end-- [Ed. LISTSERV is a smart program; if you subscribe to a list that is peered by a LISTSERV closer to you, it will forward your subscription request to the appropriate LISTSERV. So, it shouldn't really matter which LISTSERV you subscribe from. As for the RISKS submissions; I tried to include the messages that I felt were of interest to our readers. It won't become a habit to send large chunks of RISKS out to VIRUS-L readers, but there was some very good discussion about the Internet Worm there, so I passed them on. Also, I send out digested messages in the order in which I receive them.] ------------------------------ Date: Sun, 13 Nov 88 14:44 EDT From: Paul Coen Subject: RE: More Virus > It seems that some people think that Mr. Morris has done the >nation a favor by exposing the weaknesses of our defenses to the rest >of the world. It is a shame that we should have to invest all the >resources that we do on national defense. However, some things are a >necessary evil in order to protect our way of life here in the United >States. If Mr. Morris' intentions were to expose any weaknesses in our >defenses, then he could have found a more appropriate way to do so. >Instead, he did in fact jeopardize the security of our nation by >slowing response time and wasting man hours to stop his little >'virus'. As many say, "The road to hell is paved with good >intentions." > Daryl Spillmann Some points 1) This wasn't a virus, it was a worm. Was any data lost or destroyed by this program? No. The program did not include the destruction of data as part of its repetoire. 2) "Exposing the weakness of our defences to the rest of the world"...face facts....anyone who wanted to could and has hacked on the internet. all the worm allegedly written by Mr. Morris did was show the american public hwo many holes there were...face it, the Soviets have known for years, and anyone who doesn't think so is burying his/her head in the sand. 3) The above point is why machines with truly crucial data are not in the Internet. From what I've seen, a good number of the infected machines were mail servers. Whoopy-doo. 4) Harming national security by wasting man-hours...yes it wasted time & MONEY, but I can't really take seriously the assertion that this put our national security at risk. The sysadmins and sysmanagers who had to get the ^@$^#*$ worm out of the systems aren't the people who are responsible for monitoring world activities, etc. This thing was more noise than danger. yes, it was embarassing, yes, it wasted time. However, there's no need for the wringing of hands. Face it, IT COULD HAVE BEEN WORSE, and it probably will be at some time in the future, since I doubt this is the only hole in Internet and Unix. Unix has security that brings the phrase "wooley thinking" to mind. 5) Appropriate way to show weaknesses in our national defence....like what, actually destroying data? Or hacking into a secure system that really had important data? The possibilities are endless. I think he picked a dramatic but relativly benign way to prove the point. P.S. hey, the method of attack used by this worm is very elegant. If Mr. Morris is indeed the author, I'll bet he's an excellent chess player. ;-) +----------------------------------------------------------------------------+ | Paul R. Coen Student Operator, Drew University Academic Computer Center | | Bitnet: PCOEN@DRUNIVAC U.S. Snail: Drew University CM Box 392, | | PCOEN@DREW Madison, NJ 07940 | | Disclaimer: I represent my own reality. | +----------------------------------------------------------------------------+ ------------------------------ Date: Sun, 13 Nov 88 23:49:06 CST From: "STEVE M. JOHNSON" Subject: Transcripts Wozniak/Cohen Those interested in the Wozniak/Cohen discussion may order transcripts by sending $3.00 to: NightLine Transcripts Wozniak/Cohen Journal Graphics 267 Broadway New York, New York 10007 I doubt they will allow me to enter the transcripts into BITNET, but I have asked for specific written permission. Is there any problem with this, Kenneth? [Ed. No, that would be great if you can get the permission!] Steve M. Johnson University of Arkansas -- Fayetteville Hog's breath is better than no breath at all! ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253