VIRUS-L Digest Monday, 4 Mar 1991 Volume 4 : Issue 34 Today's Topics: Mutation of Stoned (PC) non-scanin anti-virus techniques AI in Anti-Viral products Hardware Damage? Re: Compucilina (PC) Re: Viruses via radio Re: Virus protection & universities (PC) Re: How to disable boot up from A: (PC) Latest McAfee anti-virals uploaded to SIMTEL20 (PC) Mac Viruses vs. PC Viruses: Coding Comparison viral signatures PC-DACS (PC) VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk --------------------------------------------------------------------------- Date: Thu, 28 Feb 91 11:05:11 -0500 >From: Pat Ralston Subject: Mutation of Stoned (PC) We have found a mutation of the Stoned or Stoned II virus. McAfee's VIRUSCAN version 74B reports Stoned, but ONLY on FLOPPY disks. Version 74B cannot find Stoned on the hard disk. However, when using Norton Disk Editor we find the following message in the Partition Table" "Your PC is now Stoned! LEGALISE". Please note that Legalise is NOT spelled with a Z as in other versions and is in all uppercase letters. Any help will be appreciated. We have performed a low level format of the hard drive but we have retained copies of the virus on floppy disks. The virus was found by one of our alert student consultants in our open computers clusters. Due to the nature of our clusters this virus may have spread quickly through the university. We are in hopes that we have contained it, however. PAT RALSTON BITNET: IPBR400@INDYCMS IUPUI (Indiana University - Purdue University at Indianapolis) ------------------------------ Date: Thu, 28 Feb 91 12:40:56 -1100 >From: "Luis Bernardo Chicaiza S." Subject: non-scanin anti-virus techniques Fidrik says: > Detection and Prevention are two different things. OF COURSE!!!!!!!!! Avoid that a virus damage any file are virtually imposible, but avoid that a virus (installed in memory) infects other program are factible. If we add code to program, this code MIGHT detect the virus, in order to prevent the infection, but this detection can be made without a scanning of a portion of known viruses. COMPUCILINA(C) is a commercial program and the technique that it uses are industrial secret, I only can say: "COMPUCILINA not scans for a particular virus", therefore offers protection against current and future viruses. I belive that the solution of the virus-problem not is actualize the old anti-virus, but is create a new methods against viruses. I expected your questions and comments. Thanks in advance Luis Bernardo Chicaiza S. Luis Bernardo Chicaiza Sandoval Universidad de los Andes, Bogota, Colombia e-mail: ------------------------------ Date: 28 Feb 91 12:18:31 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: AI in Anti-Viral products What exactly is AI anyway? I've heard this buzzword used and abused for years and I avoid it because I think almost everybody interprets it differently. SafeWord VIRUS-Safe "learns" a little bit as it is used. I doubt if this is what you are referring to as true "AI", but it is pretty smart and it helps to simplify the lives of your users. Basically, it maintains a list of programs whose integrity it has already authenticated, along with the rules the user (or his supervisor) has established regarding when, how, and how often to re-check the integrity of each file. Whenever a user attempts to execute a program whose name is not on this list, SafeWord VIRUS-Safe automatically opens a dialog window and informs the user that it has not yet "learned" how to authenticate this program. The user is asked if (s)he would like to define a set of simple rules for authentication of the program now and in the future. Any rules the user provides during the ensuing short dialog are retained and enforced from then on. Is that AI? Not by my definition. But it's probably more or less along the lines you want to achieve... Certainly it works. In SafeWord VIRUS-Safe, we call it "LEARN mode". - -Bob Bosen- Enigma Logic Inc (Creators of SafeWord VIRUS-Safe [Now Shareware]) 2151 Salvio Street #301 Concord, CA 94520 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM ------------------------------ Date: 28 Feb 91 12:18:23 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: Hardware Damage? >Is it possible for a virus, etc to cripple physical hardware >components? Yes. I have first-hand experience with this, unfortunately. My experience goes back to about 1985, when I had the misfortune to buy one of the very first Compaq portables. These had an INEXCUSABLY weak power supply. (Every time I think back on the experience I start to get mad.) The power supply on even a bare-bones 128K Compaq was so marginal that it would blow a fuse if the video controller spent more than a few seconds issuing improper sync to the CRT. This happenned to me more than once as errant programs (mine and other programmers) diddled with the registers on the CRT controller card. I got to the point where I could recognize the pattern. First, the CRT would go nuts, kind of like your home TV when the "horizontal sync" knob is out of whack. My sensitive ears would pick up a high-pitched whine that other workers in my office couldn't hear. if I was REALLY REALLY fast I could switch off the power fast enough to save my power supply. But if I took more than about 3 seconds, WHAMMO! Instant tombstone. After 3 separate trips to Compaq-authorized service facilities, at about $300.00 a pop, (of course, this never happenned during the warrantee period, only immediately thereafter) I wised up and spied on the service technicians. They were just replacing a fuse that was SOLDERED onto the PC board. It was a big pain to disassemble that beast and find the fuse, but I never paid $300.00 again. After that I changed the fuse myself. About a year later, Compaq came out with a more reasonably designed power supply and I never suffered with this again (another $300.00 down the drain, though.) I conclude from this sorry chain of events that it definitely IS possible for malicious software to exploit weaknesses and quirks of hardware to cause damage, but I am also convinced that hardware that is properly designed should not suffer from these attacks. I believe there are probably a lot of computers out there with poorly designed hardware or with designs that take advantage of the public's desire to buy the cheapest stuff they can get. Lots of these systems could probably be damaged by malicious software, but I doubt if there is any single trick a bad guy can do in software that can be COUNTED on to damage the general population of PCs. I know of no flaw in the hardware that is widespread enough to be exploited in a general way. But a specific kind of PC or board or peripheral could be "targeted"..... - -Bob Bosen- Enigma Logic Inc. 2151 Salvio Street #301 Concord, CA 94520 USA Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 71435.1777@COMPUSERVE.COM ------------------------------ Date: Thu, 28 Feb 91 16:52:55 +0300 >From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Re: Compucilina (PC) Adding to the note of Fridrik Skulason (v.4 i.31) This 'compucilina' will not prevent infection either you'll boot from floppy or hard disk. Most of the resident viruses infect a victim before execution at int 21/4B as a simple file which can be modified (read: infected), and only after that the victim (and compucilina) would get a control and found many problems. I beleive that compucilina could restore the victim in some cases, but not in ALL cases. E.g. the virus can be so purely written, that it simply spoils file sometimes instead of infecting it. And how does compucilina fight with spawning (in terms of Patricia Hoffman) viruses ? These viruses does not modify the exe-file, but make a COM-twin of the file with viral code. If you execute such infected program, MS-DOS loads COM-file. It does the viral work and after that loads and execute the host program, which cannot determine any traces of the virus in itself. At the end, such a trick is well-known. I know at least 3 analogs of compucilina in the SU with the first one dated at least at 1989. Sorry, but I'm tired of commercial advertisments here in the SU, maybe let us a little rest ? Eldar A. Musaev, Ph.D., Researcher, eldar@lomi.spb.su Mathematical Institute of Academy of Sciences, Leningrad, USSR ------------------------------ Date: Thu, 28 Feb 91 16:50:29 +0300 >From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Re: Viruses via radio >US goverment ... for studies on methods of infecting enemy >military computers with viruses. I think that is a canard. If the soviet military computers are supposed then, though I am not familiar with them, I think that US goverment could try to infect a heap of a scrap metal as well, either via radio or not. Anyway, some time is needed to have an object to infect... In Asia (except the Far East), Africa & L.America the situation is hardly better. So what computers they want to infect ? Japanese and NATO ? Besides that the only way to infect computer via radio is to use radio to send a program. Except that you should send a virus as a legal transmitter of the programs, i.e. you have the same problems as in the case of the simple illegal entering to the network. So the "radio" here is only the magic word to attract the public attention. Eldar A. Musaev, Ph.D., Researcher, eldar@lomi.spb.su Mathematical Institute of Academy of Sciences, Leningrad, USSR ------------------------------ Date: Thu, 28 Feb 91 16:51:58 +0300 >From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Re: Virus protection & universities (PC) Leningrad University (at least Mathematical & Mechanical Department) creates two or three antiviral systems of their own and feel itself quite comfortable. Moscow University (as reported by Moscow researches) is permanently under the attacks of VIRUSES of their own, but they are very low-qualified ("student's viruses") and so don't spread out widely. Anyway I could not found any traces of them in Leningrad. Eldar A. Musaev, Ph.D., Researcher, eldar@lomi.spb.su Mathematical Institute of Academy of Sciences, Leningrad, USSR ------------------------------ Date: Thu, 28 Feb 91 16:50:59 +0300 >From: eldar@lomi.spb.su (Eldar A. Musaev) Subject: Re: How to disable boot up from A: (PC) >University of Houston can disable boot up from drive A: That is very simple, if you have only one floppy. Open your computer and set DIP switches and cable connections to make A: as B:. After that insert in AUTOEXEC.BAT a program which overrides all requests from A: to B: to avoid problems with an addressing. If you have more than one floppy, make them E:, F: etc. if you have an additional floppy interfaces. Eldar A. Musaev, Ph.D., Researcher, eldar@lomi.spb.su Mathematical Institute of Academy of Sciences, Leningrad, USSR ------------------------------ Date: Sat, 02 Mar 91 18:17:00 -0700 >From: Keith Petersen Subject: Latest McAfee anti-virals uploaded to SIMTEL20 (PC) I have uploaded to SIMTEL20: pd1: CLEAN75.ZIP Universal virus disinfector, heals/removes NETSCN75.ZIP Network compatible - scan for 223 viruses, v75 SCANV75.ZIP VirusScan, scans disk files for 222 viruses VSHLD75.ZIP Resident virus infection prevention program These files were obtained directly from the McAfee BBS. Keith - -- Keith Petersen Maintainer of SIMTEL20's MSDOS, MISC & CP/M archives [IP address 26.2.0.74] Internet: w8sdz@WSMR-SIMTEL20.Army.Mil or w8sdz@vela.acs.oakland.edu Uucp: uunet!wsmr-simtel20.army.mil!w8sdz BITNET: w8sdz@OAKLAND ------------------------------ Date: Sun, 03 Mar 91 16:12:00 -0600 >From: Bureau de Guerra Subject: Mac Viruses vs. PC Viruses: Coding Comparison >> Observation 2: Mac viruses are not easier to write than PC viruses for >> [...various reasons deleted...] >> that infect each platform. When I last checked (and this was awhile >> ago), there were some 5 different Mac viruses, with no more than five >> variations on a particular strain: total of about a dozen Mac viruses. >> At the time, the number of PC viruses numbered 23 distinct strains and >> over a 100 total viruses. Alot of has to do with the number of >> vandals writing viruses for the Mac vs. DOS, but it also has to do the >> relative ease with which viruses can be written for DOS vs. the Mac. >There are possibly more practical reasons as to why there are more pc viruses >than mac viruses: There are MORE pcs than macs, not just more "vandals >writing", tho the two quantities are clearly related. I saw a blurb a while >back in PC Week saying there were around 45 million pcs in the US (apparently >not counting Europe and elsewhere). Unfortunately, there was not a >corresponding figure for macs. The macintosh macs up about ten percent of the domestic pc market (higher in some overseas locations), so say four to five million. Lets consider: 23 pc viruses/45M pcs 5 mac viruses/4.5M macs There seems to be (to significant numbers) about the same ratio. Are mac viruses easier to write? No (but see below) Discussion Follows: PC's are easier: PC viruses primarily attack the partition tables and boot sectors of a disk. Because a significant part of the OS resides in firmware on the macintosh, "boot sectors" do not have the same functionality on the mac as on the pc. PC viruses that infect EXE and COM files similarly rely on the architechure of how a program is loaded and executed; the mac process is sufficiently different that the "append" method of virus attack will not work. Macs are easier: PC viruses trap interupts, perform their task and then (hopefully) call the original interrupt. Thus pc viruses can only activiate on BIOS calls. The mac takes advantage of the 68000's capacity to emulate instructions: a call to a macintosh toolbox or OS is actually a machine instruction that the 68000 can't understand; it sends this to a dispatcher that routes the call to the proper routine. The dispatcher relies on a jump table. Thus every toolbox and OS routine on the mac (the newer macs use 512K ROMS if that gives you some idea of # of routines) can be trapped and redirected: Apple and third party developers (including virus writers I'm sure) take advantage of this to exapand and customize the mac. Macs also isolate their code into "resources." The code to display a window for example is stored in a WDEF resource, to handle a special kind of menu in MDEF, etc. One can replace the WDEF in a program with another, and the application should still run. I used this to write a WDEF that draws a smiley face on the screen when its closed. By replacing the default WDEF in the system, every program I run now displays a smiley face when a window is closed. One common virus actually masquerades as a window code, replacing the default window code in the system. Because the whole macintosh OS revolves around resources, the functions for loading, copying and modifying resources in files is part of the os and used frequently by most programs. Finally, since the macintosh ships with a multitasking operating system that does not have independent segments, a virus running in an application in one segment can infect an application in a second segment. Which Platform is Easier? Criteria: 1) Ease of infecting new disks 2) Ease of infecting applications/operating system 3) Difficulty in detection/prevention 4) Size of virus to be effective 5) Degree of technical proficiency to program 1. PCs can be infected easily through boot sector/partion table; macs do not have this problem. 2. Because of the resource nature of macs, infecting new applications can be as easy as moving a resource into the application's resource fork (one OS call) eg nVIR, WDEF 3. Because of (2), memory resident virus dection schemes on the macintosh are easily implemented. Also, because of the macs control over floppy insertion/ejection, disks can be forced to be scanned upon insertion. This same functionality does not exist on the pc. Also, because of (2), scanning a mac disk for an infection is also easier. PC virus detection is straight forward, but virus prevention is much less sophisticated. 4. A PC virus is typically only a few dozen bytes long. A macintosh virus can be serveral thousand bytes easily (the WDEF virus, for example, needed to duplicate the full functionality of the default WDEF to be transmitted undetected for as long as possible; coding a WDEF is not a project to be undertaken lightly.) 5. Due to the size, complexity of duplicated features, and requirements for properly handling memory management, etc, mac viruses are by nature more complex, and hence more difficult to code. Also, judging from the fact that 400 versions of 23 PC viruses exist, where only a handful of strains of the mac viruses exist, modification [and hence evasion of detection] of pc viruses is easier. Because of 1,3,4, & 5 vs. 2, I conclude that programing a mac virus is more difficult than programming a pc virus. Jonathan E. Oberg ph461a04@vax1.umkc.edu ------------------------------ Date: Sun, 03 Mar 91 18:26:36 -0600 >From: BJ Watts Subject: viral signatures Hello! I am currently trying to write a virus scanning program for a project and would appreciate any help in finding virus signatures in hex. I have a couple of virus sigs and would be willing to help anyone else with these. Please contact me if you have any at BB1CS250@UA1VM. Thanks! BJ Watts ------------------------------ Date: 28 Feb 91 13:51:57 -0500 >From: Bob Bosen <71435.1777@CompuServe.COM> Subject: PC-DACS (PC) >From Volume 4 Issue 28: >Ed. I saw one product which seems (IMHO) to come close to this- >PC/DACS by Pyramid (note: I have no affiliation with them...) >It provides boot protection, optional hard disk encryption >(required to prevent absolute sector access), username/password >protection, file access control, etc. Anyone with experience >with this, or similar, systems care to comment? Yes. I know from direct, first-hand experience with PC/DACS that the "boot protection" is so easy to defeat as to provide only the illusion of protection. While it might prove an impediment to some viruses, the two different versions I tested during 1988 and again in 1990 yielded easily to attacks using only readily- available software tools brought in on a bootable diskette. As I write this I don't have the specific version or release numbers of PC/DACS that we broke on these occasions, but we DID verify that the company promotional literature being published at the time was contrary to our findings. With regard to impeding viruses by these techniques, there is an interesting twist that has not, up to now, been brought to light in what I've read. Note that PC security programs that attempt boot protection (Including SafeWord PC-Safe II from my company) generally try to be "transparent" to non-offending application programs. They relocate the partition table or boot sector logic and they intercept requests to access these disk areas and re-vector them to the relocated copies of the original. Thus a utility program (or a virus) that tries to access the partition table is transparently vectored to the re-located copy, and unless sophisticated special steps are taken, it can't tell the difference. A virus could then infect the relocated area without even being aware of the existence of the security package. Security based on software techniques of this type is voodoo security and should not be trusted. (I say this even though I offer a package with these "features" myself.) Without hardware modification, only ENCRYPTION can provide any kind of real security. I make and stand by the same statement with regard to file access control, username/password protection, etc. Unless based on sophisticated hardware modification or encryption, it's all based on a foundation of sand and cannot stand up to the efforts of even routine users armed with readily-available utilities. As to encryption, the "user transparency" twist applies here too. Long experience in the marketplace has clearly shown that if encryption is not user transparent, user's won't use it. So PC/DACS, SafeWord PC-Safe, and the other leading PC security products all assert encryption transparently. That's great from the standpoint of file confidentiality. Files are automatically encrypted as authorized users write them, and they are automatically decrypted as authorized users read them. Unfortunately from the standpoint of viral contamination, the encryption process is also transparent to a virus acting inside a program run on behalf of an authorized user. Thus viral spread is generally unimpeded in such systems, regardless of what the PC security vendors would have you believe! I fail to see the relationship between encryption and absolute sector access to which you allude. Just because sectors or files on a disk are encrypted, how am I prevented from issuing commands to the disk controller? And if the encryption is transparent, any software (malicious or not) should be unaware of the encryption if it is operating on behalf of an authorized user. I am not trying to trash the notion of PC security packages. Indeed, I design, produce, and market such packages. I just want to set the record straight. A lot of DIS-information has been spread around. None of these PC security packages are magic. All can help in some areas, and those few that are strong enough to enforce true security are based on ENCRYPTION or HARDWARE or BOTH. On top of that encryption or hardware foundation, it is possible to assert useful file access rights or viral detection and removal, but beware of the claims of ALL the vendors. Also, be VERY VERY suspicious about the strengths of any encryption algorithms used. I could tell some amazing horror stories here.... But 'nuff said. - -Bob Bosen- Enigma Logic Inc. 2151 Salvio Street #301 Concord, CA 94520 Tel: (415) 827-5707 FAX: (415) 827-2593 Internet: 714435.1777@COMPUSERVE.COM ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 34] ***************************************** Downloaded From P-80 International Information Systems 304-744-2253