From virus-l@lehigh.edu Fri Oct 2 16:49:01 1992 Return-Path: Received: from csmes.ncsl.nist.gov (HAMLET.NCSL.NIST.GOV) by csrc.ncsl.nist.gov (4.1/NIST) id AA09402; Fri, 2 Oct 92 16:48:17 EDT Posted-Date: Fri, 2 Oct 1992 16:04:24 -0400 Received-Date: Fri, 2 Oct 92 16:48:17 EDT Errors-To: krvw@cert.org Received: from Fidoii.CC.Lehigh.EDU by csmes.ncsl.nist.gov (4.1/NIST(rbj/dougm)) id AA07682; Fri, 2 Oct 92 16:43:04 EDT Received: from (localhost) by Fidoii.CC.Lehigh.EDU with SMTP id AA11501 (5.65c/IDA-1.4.4); Fri, 2 Oct 1992 16:04:24 -0400 Date: Fri, 2 Oct 1992 16:04:24 -0400 Message-Id: <9210021910.AA19585@barnabas.cert.org> Comment: Virus Discussion List Originator: virus-l@lehigh.edu Errors-To: krvw@cert.org Reply-To: Sender: virus-l@lehigh.edu Version: 5.5 -- Copyright (c) 1991/92, Anastasios Kotsikonas From: "Kenneth R. van Wyk" To: Multiple recipients of list Subject: VIRUS-L Digest V5 #159 Status: R VIRUS-L Digest Friday, 2 Oct 1992 Volume 5 : Issue 159 Today's Topics: F-PROT 2.05a -- available yet ??? (PC) lanprotect (PC) VIRAX anti virus prgrm (PC) Re: Product Test 45, Virus Prevention Plus, version 5.10 (PC) Re: Viruscan (PC) Bloomington virus? (PC) Maltese Amoeba virus (PC) A few questions (Stardot/V801/Michaelangelo) (PC) VIRSCAN detects Yankee-Doodle 2885 (PC) "Eagle has landed" = virus??? (PC) re: A virus infecting Windows excutables found (Windows) (PC) Stoned on non-dos partition (PC) Form Virus (new variant or extra info?) (PC) Brazil Virus (PC) Request on Brazil Virus! (PC) The Harmless Virus network security more network security Re: The Hacker Files (Vol 5 #156) Computer virus used for attempted blackmail VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@LEHIGH.EDU. Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 28 Sep 92 22:20:06 +0000 >From: mramey@milton.u.washington.edu (Mike Ramey) Subject: F-PROT 2.05a -- available yet ??? (PC) A message from Fridrik Skulason dated 18 Sep 92 announced his intention to "upload 2.05a right after this weekend". Have I missed it? Is it available? If so, where? Thanks, -Mike Ramey, UW, Seattle. - -- - -Mike Ramey, 685-0940, U W Civil Eng, FX-10, 171 Wilcox, Seattle WA 98195. ------------------------------ Date: Tue, 29 Sep 92 12:13:00 +1000 >From: MISHRA@qut.edu.au Subject: lanprotect (PC) Can anybody out there give me some info on LANPROTECT thanx! ------------------------------ Date: Tue, 29 Sep 92 12:11:00 +1000 >From: MISHRA@qut.edu.au Subject: VIRAX anti virus prgrm (PC) Does anybody out there know the distributoers of an anti-virus program called VIRAX in Australia. ------------------------------ Date: Tue, 29 Sep 92 10:03:41 -0400 >From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Re: Product Test 45, Virus Prevention Plus, version 5.10 (PC) >From: Chris McDonald ASQNC-TWS-R-SO : > b. I tested the product on a Zenith 248, MS-DOS 3.30 and on a Gateway 2000 >386/25, MS-DOS 5.0. The minimum system requirement, according to the >documentation, is IBM or MS-DOS, version 3.3, 4.0, or 5.0 with 512K of free >memory. The documentation does identify that certain hardware vendors, such as >Wyse, Zenith, Tandon and NEC, may modify DOS resulting in incompatibilities >with Virus Prevention Plus. Just a bit of clarification here. I do not have the referenced product however have experienced some of the incompatabilities alluded to above: 1) Zenith - early PC and XT (models 151, 158, & 159) with the Zenith clock/ calendar add-on had a habit of writing to the DOS Boot Record (DBR) if not told to quit. I have not seen it exhibited on AT (248) or later equipment. Early HP Vectras are said to exhibit the same behavious though I have not seen this. 2) Tandon - uses a custom BIOS that actually checks the BIOS for a valid partition table (bravo !), permits boot selection (as do Zeniths and NECs) & will halt the boot if not found. Some earlier Tandons with large disks used a sector size of 1024 bytes instead of 512 bytes. Both have been known to cause problems with non-compliant access control and anti-viral programs. One final comment on the Zeniths - Several people have noted the boot device selectability while others have said it does not work. My experience is as follows - it works but if a hard disk is not found, the BIOS will fall back to the first floppy drive. This check appears to be made before any BIOS extensions are loaded thus if the Zenith BIOS is set to "none" as when a hardcard or non-Zenith-standard controller is used, the BIOS will revert to boot from floppy drive A no matter what the setting. Incidently, for several reasons I consider the Zenith one of the best software development/testing machines made and if more companies used them for Alpha testing, there would be much less buggy code released. In the best American (Anglo-French ? - well, I like Facel-Vegas too) tradition, they always seem to be able to do more than you expected. Will admit they do seem to appreciate a gentle touch. Warmly, Padgett (Zenith donations accepted 8*) ------------------------------ Date: Tue, 29 Sep 92 10:46:34 -0400 >From: cee1@Ra.MsState.Edu (Charles Evans) Subject: Re: Viruscan (PC) SCAN 89 (havent tried 95 yet) found no viruses; however, at my university during lab, using quickbasic, I was tidying up a small program.. fixing output and such and all the sudden, I kid you not, the computer started typing by itself, all over the place.. and sometimes it would block text and somehow hit the controls to start compiling.. I was hoping that it would not find the keys to either save or delete text it block. SO I frantically shell to DOS (it would not let me for a bit) and at DOS it STILL typed by itself. I got a student and my professor to verify it. We were clueless. We ran scan 89 (what was in the lab) and found nothing. Fortunatelly it did not overwrite what I had. Any viruses/new ones known for such a thing? It was really disturbing, for about 10 minutes before the incident started, I had left for a few minutes to get some lunch. If it had started throwing up on the screen while I was gone, I probably would have returned to a screen with Wordperfect or Norton WIPEDISK or something. It also showed a FEW extended characters, but mostly tabs, alpha-numers, and somehow Function keys and alternate/ctrl characters. And help in this matter would be appreciated. - -- +--------------------+-----------------------+------------------------+ | Charles E. Evans | cee1@ra.msstate.edu | Fear God | | iDLE CHATTEr | cee1@MSSTATE.BITNET | Love the brotherhood | | Idle chatteR |cevans@abe.msstate.edu | Pray without ceasing | +--------------------+-----------------------+------------------------+ ------------------------------ Date: 29 Sep 92 15:50:31 +0000 >From: wew@naucse.cse.nau.edu (Bill Wilson) Subject: Bloomington virus? (PC) Can anyone tell me about the Bloomington virus and how to get rid of it? We have a number of machines in our lab that somehow were infected with this strain. Does the latest Central Point Anti-virus handle this one? Thanks. - -- Let sleeping dragons lie........ | The RoleMancer - -------------------------------------------------------------------- William Wilson (wew@naucse.cse.nau.edu | wilson@nauvax) Northern AZ Univ Flagstaff, AZ 86011 ------------------------------ Date: Tue, 29 Sep 92 16:05:16 -0400 >From: "David M. Chess" Subject: Maltese Amoeba virus (PC) samsung!ulowell!cps.msu.edu!reno@uunet.UU.NET (Gerald L Jr Reno) asks about the Maltese Ameoba virus, and Vess gives a good summary of what it does. A tiny bit more non-technical information: it's also known as the "Grain of Sand" virus (by us at IBM) and the "Irish" virus (by McAfee Assoc and perhaps others). It's been in IBM's virus scanner since last November or so (version 2.1.6 and after). There was a small wave of reports around the turn of the year, but I don't think we've seen any lately. DC ------------------------------ Date: Tue, 29 Sep 92 16:09:51 -0400 >From: "David M. Chess" Subject: A few questions (Stardot/V801/Michaelangelo) (PC) > From: "NBECC::KENNEY" >- - are StarDot and V801 related? (Other folks have already answered the other questions very nicely). Yes! In fact, the two viruses are called StarDot-789 and StarDot-801. They differ in that the latter has 12 extra NOPs in it (and other addresses are adjusted accordingly). Otherwise they are identical. Don't know why any anti-virus tool would repair them incorrectly; they are easy to verify and remove (any "disinfector" that doesn't verify that it's dealing with the usual virus before removing, or otherwise make sure that the result is the same as before infection, should of course be chucked into the sea at once, or at least not used to disinfect important files). Perhaps just a bug that they can fix. - - -- - David M. Chess \ Femmes aux tetes de fleurs High Integrity Computing Lab \ retrouvant sur la plage la IBM Watson Research \ depouille d'un piano a queue ------------------------------ Date: Tue, 29 Sep 92 16:19:41 -0400 >From: "David M. Chess" Subject: VIRSCAN detects Yankee-Doodle 2885 (PC) > From: mechalas@mentor.cc.purdue.edu (John Mechalas) Sorry for the delay in responding! I was out last week on vacation... > 1) Does VIRSCAN have a tendancy to cause a false positive > for Yankee Doodle? I think we really do have a virus, but > I'd like to check this option anyway. No! We know of no 2885 false positives at all, so if you've gotten reports in multiple files, it's almost certainly a real infection. (If you'd like to uuencode and send me an infected file, I'd be glad to verify the exact identity.) > 2) I check F-Prot's virus base, but of course every virus is > labeled differently between scanners. :) Which version of > Yankee Doodle do we have, as in what does this strain do? I think F-Prot calls it "Yankee (TP-44)". Not too atrociously different! *8) It's not a fascinating virus; it infects COM and EXE files, and sometimes plays the tune Yankee Doodle at 5pm. It also alters the Bouncing Ball virus, if it finds in in memory, but that basically never happens so isn't interesting (the alteration causes the altered BB to eventually stop spreading, as I recall). - - -- - David M. Chess Objects In Mirror High Integrity Computing Lab Are Closer Than They Appear IBM Watson Research ------------------------------ Date: Tue, 29 Sep 92 16:28:48 -0400 >From: "Don Medal" Subject: "Eagle has landed" = virus??? (PC) I have a user how swears her computer sometimes comes up with the following message flashed briefly on the screen: "The eagle has landed" and that it usually won't boot. I must say I panicked, dug out our crusty tools and couldn't find anything. I can't find any reference in the lists to this phrase, but I have this annoying feeling that I've read of it once in this context. When our user support guy goes and checks the machine it checks ok (Central Point AV) and all *he* sees is "Eagle II VGA Bios" on the screen for an instant. The user is adamant that she is correct... Does anyone recognize the first phrase ("The eagle has landed") as meaning anything? Thanks for any help. We aren't allowed to shoot users here. Don - ---------------------------------------------------------------------- Don Medal internet: medal@mail.crk.umn.edu Dir UMC Computing Services 116 Dowell Hall voice:(218) 281-6510 ext 432 home:(701)746- 7779 Crookston, MN 56716 fax:(218) 281-5223 - ------------------------------------------------------------------------ - ------------------------------ Date: Tue, 29 Sep 92 16:23:45 -0400 >From: "David M. Chess" Subject: re: A virus infecting Windows excutables found (Windows) (PC) >From: Ari.Hypponen@hut.fi (Ari Hypp|nen) >A new virus capable of infecting Windows executables has been >found... > 2. The virus searches for a suitable victim file (*.EXE) > from the current directory using DOS INT 21, AX=4E, 4F > services... >- - The virus might to be able to infect OS/2 files also. This > has not been tested... Thanks for the interesting writeup! One thing to note: although it may mistake OS/2 executables for Windows executables and therefore insert itself into them, if it uses DOS INT21 services to do its infection it will *not* be able to infect under OS/2 (because of course you don't get services from OS/2 by doing INTs). So while it may accidentally mess up OS/2 files, it cannot actually operate and spread under OS/2 unless it is considerable more complex than this writeup suggests. (Just want to squelch any "OS/2 VIRUS!" rumors before they start...) DC ------------------------------ Date: Wed, 30 Sep 92 05:17:55 +0000 >From: hani@gu.uwa.edu.au (Hani Jabr) Subject: Stoned on non-dos partition (PC) The machine at work is currently running on non-standard PC-MOS version 6.1 to 6.2. This is bad. A stoned virus has somehow attatched itself to the hard disk and copies itself to all the floppies inserted in all the floppy drives. I would appreciate anyone getting back to me about how Stoned works, or where it may rest on the hard disk. The simple solution of deleting the partition and reinstalling won't work because the program we use has a database, backed up and infected. Thanks for any help you may give me. P.S. Any information on Stoned will probably be helpful, so don't hesitate mail me. [HAN] ------------------------------ Date: Wed, 30 Sep 92 09:17:41 -0400 >From: "Perry Rovers, DEA/IM 2288" Subject: Form Virus (new variant or extra info?) (PC) Hi, the university I work for has had quite a few cases of infections with the Form virus lately (at least it's detected by ViruScan 95 and F-Prot 2.05 as Form virus). The thing is: this virus wipes the harddisk after a number of boots. This is not in VSUM. Furthermore, if a diskette in A: is infected and you go to B:, copy a thing from A: and do a dir, B: is still not infected? (B: 5-1/4, A: 3-1/2) CleanUp can't clean it from 5-1/4, 360K diskettes, F-Prot can (+ for F-Prot), that's just a note for McAfee. Regards, Perry ------------------------------ Date: Fri, 02 Oct 92 02:20:07 -0400 >From: Teresa Thompson Subject: Brazil Virus (PC) HI, I'm helping some friends in Brazil, who are having some problems with a new kind of virus, called "Brazil Virus". They asked me to write this email to you , to check out if you have any information on this new virus, and also if you know of any programs that could detect it , before it reaches the hard drive and locks up the computers. If you have any information on this virus, or some idea that could help them, please write an email to Gomide@APQ.FAPESP.BR . I'm sure they'll appreciate it! THANK YOU VERY MUCH FOR YOUR HELP, Teresa Thompson Tcthompson@ucdavis.edu ------------------------------ Date: Thu, 01 Oct 92 12:44:16 -0400 >From: ARTHUR@brfuel.bitnet Subject: Request on Brazil Virus! (PC) Some subscrivers from a brazilian list have reported a virus that erases the FAT and block the computer (PC). They related that the following antivirus weren't able to find these virus: - - Norton AntiVirus 1.5 - - Central Point Antivirus 1 U 2.2 - - Scan/Clean 7.6v80 - - Vshield v80 Could someone help us? LUIZ ARTHUR PAGANI DEPARTAMENTO DE LETRAS VERNACULAS E CLASSICAS CENTRO DE LETRAS E CIENCIAS HUMANAS UNIVERSIDADE ESTADUAL DE LONDRINA LONDRINA - PARANA' - BRASIL CAIXA POSTAL 6001 - CEP 86051-970 TEL: (0432) 21-2000 RAMAL 428 FAX: (0432) 27-6932 E-MAIL: ARTHUR@BRFUEL.BITNET RESIDENCIA: R. PARANAGUA', NO. 2035, APT. 203 - CENTRO - LONDRINA CEP: 86.015-030 TEL: (0432) 23-9956 ------------------------------ Date: Mon, 28 Sep 92 22:46:25 -0400 >From: WHMurray@DOCKMASTER.NCSC.MIL Subject: The Harmless Virus Padgett Peterson notes that: >Problem is that many viruses do not attach themselves properly to files & >overwrite part of the file or lose the original pieces. Once this happens >the file cannot be reconstructed. Unlike the movies where every virus does >exactly what it is supposed to, in the real world virus code is incredibly >buggy. Possibly this is because those people who could write one without >without bugs won't 8*) - but don't count on it. (do you hear an echo >here ?) I would like to suggest that the problem is more fundamental than simply one of skill. Writing a perfectly harmless virus requires a perfect knowledge of the environment. Not only must the writer understand the execution environment perfectly, but he must also understand the population perfectly. Padgett observes: >For instance, Michelangelo is known to foul up 720k floppies, not >deliberately, >but because it *assumes* that all non-360k floppies are the same. This is a simple oversight, but writing the perfectly harmless virus requires this knowledge plus perfect knowledge of all other relevant factors about every system in the population. Such perfect knowledge is impossible. ____________________________________________________________________ William Hugh Murray 203-966-4769 Information System Security 203-326-1833 (CELLULAR) DOCKMASTER MCI-Mail: 315-8580 TELEX: 6503158580 FAX: 203-966-8612 Compu-Serve: 75126,1722 49 Locust Avenue, Suite 104 PRODIGY: DXBM57A New Canaan, Connecticut 06840 ------------------------------ Date: Tue, 29 Sep 92 11:42:29 -0400 >From: Brian Seborg Subject: network security Vesselin Bontchev writes: >seborg@csrc.ncsl.nist.gov (Brian Seborg) writes: >> Patricia Hoffman's VSUM lists the 1530 virus as CB-1530 >> (according to her July 1992 version). Your description seems to >> more closely resemble the 1963 virus. Both of these viruses are >> related to the Dark Avenger Virus so this may account for >> McAfee's seeming mis-identification >Two points: First, as Frisk mentioned, it was a completely new > virus (Alexander), not even belonging to the Dark_Avenger family. So I see, however, my submission was in the mail before Frisk had made this conclusion. Not having a copy of this virus, I will defer to his opinion. :-) >Second, 1963 (Necropolis) and the Dark_Avenger viruses have > nothing in common. They are completely different, belong to > different families, infect in a different way, use different > tricks, and are written by different people. As you can see from my posting, I only offered a plausible guess given the brief description of the original poster. I am not surprised that the virus was different. As for 1963 having "nothing in common" with the Dark_Avenger virus, I will leave you to argue this out with Patricia since she seems to disagree with you here. Again, I was only offering a best guess, as was noted by my posting!?! I am not sure why you wasted the band width to revisit this since it was obvious to any reader that no definitive answer was being provided. >> to see if in fact you have the same beast. Patricia's VSUM >> should be helpful in determining if you are at least talking >> about a similar virus or not. >I disagree. VSUM is full of errors and not helpful at all to >provide correct, technical virus information. In fact, I challenge >anyone to find an entry in VSUM, which has no errors and/or >omissions... While I must agree that VSUM does have its share of errors, and provides little in the way of "down and dirty" technical information, I still believe it is a good reference for ball- parking whether you have a particular virus or not. I have to admit that I prefer the descriptions put out by Brunnestein's students (including you) for accuracy, although the user- friendliness of the lists containing these descriptions leaves something to be desired.:-) >Some comments about the "virus research algorithm" that you >described (I'll save the bandwidth and will not quote it here). >Have in mind that some viruses are very capricious and you have >literally to feed them with a spoon, in order to make them >replicate. The Rythem virus infects only files that are not in the >root directory. Dr_Watson infects only AUTOEXEC.BAT. Some of the >Astra viruses infect only device drivers. Some viruses (Tequila >and StarShip, I think) will not Wrong about Tequila, it infects just fine. Remember, it is a multi-partite virus and it does go TSR. >infect, if you don't have a hard disk - because they don't go >resident when you run an infected file, but only modify the MBR >and wait until the user reboot... There are some other pitfalls. > We have a huge amount of files here, about which we cannot easily >decide whether they are viruses, trojans, buggy programs, or just >innocent tools. They all refuse to replicate on the systems we >have tested them, but this does not imply that they will not >replicate on some other But this does imply that they are unlikely to represent a threat since there survival is unlikely. >systems. The only way to solve the problem is to disassemble each >one of them and see what it does. And this is a LOT of work... No disagreement here. Disassembly is obviously the best solution, however, many users are not assembly programmers, and are unlikely to be able to dis-assemble the virus. Also, in cases where the user notices changes in files (like the one we are speaking of) my suggested technique works well. I never said that it was "the only way," or that it would be sufficient to completely describe any virus, but it can provide important clues which could lead to a sufficient understanding of the virus so that it can be dealt with, or compared with other existing viruses to see if it is an existing virus. Also, continually bringing up viruses which have "new" and "different" techniques that have often never been seen "in the wild", or which are only the product of an active imagination may be a useful academic exercise, but let's put some statistics next to these viruses you have noted. Have they infected any computers at all other than in the lab? Let's be reasonable!?! I act as the CERT for a network with over 350 servers, and 10,000 nodes. In addition, we have over 3000 lap-tops. If I were "fishing" for viruses this would represent a pretty large net. Yet, we have seen very few instances of other than the garden variety pests. We have anti-virus programs in place, and catch about 1 to 3 viruses a month nation-wide, but have yet to see any of the viruses you mention (other than Tequila which is fairly common in the USA). Our employees are not discouraged from reporting viruses by reprimands, but are encouraged and even commended when they report a virus. I think it's time we started being realistic about the actual threat from these viruses. Sincerely, Brian H. Seborg VDS Advanced Research Group ------------------------------ Date: Tue, 29 Sep 92 11:43:02 -0400 >From: Brian Seborg Subject: more network security Vesselin Bontchev writes: >As a conclusion, it is a bad idea to rely on virus disinfectors. >Just delete the infected programs and replace them with clean >backup copies. I am glad that you have finally reached this conclusion. :-) We have been saying this for years! In another posting, Vesselin writes: >seborg@csrc.ncsl.nist.gov (Brian Seborg) writes: >> some dismay. Regarding the "new trend" to allow your computer >> to boot off of the C: drive rather than the a: drive, this is >> not new. Hasn't anyone heard of a Zenith 248? The military >> only has about 650,000 of them. This boot redirection has been >> re-definable in cmos for some-time. We're talking pre 1988 >> here. >The "new" in the trend is that nowadays more and more BIOS >producers are providing this feature. Thanks for the clarification, I was just surprised that we were giving lauds and praises (and free advertising) to manufacturers who are just now beginning to do what Zenith did over 4 years ago, that's all. :-) >> Regarding Cohen's paper, I guess I am somewhat tired of hearing >> about a paper that I do not have a copy of and perhaps that is >> making me somewhat testy, but let's be serious about network >> security. I hope >The paper is in the proceedings of the 2nd Virus Bulletin >conference. You can order the proceedings from Virus Bulletin. Thanks, let me just pull out my wallet... :-) >The point in Cohen's paper is that the "obvious" way to set a >Novell LAN is insecure, not that it is not possible to set it up >in a secure way, or that it can be set up in an insecure manner. Again, who said that securing a network was "obvious"? Many networks are set up in an unsecure way. There are many reasons for this: lack of understanding, lack of time, lack of expertise, it's more difficult to secure a network properly than to just get it to work correctly, no understanding of security principals or common threats, etc. It is good to have papers point out that the "most obvious" ways of setting up a network are insecure, or that lack of security in network environments is common, but this comes as no surprise to security professionals. No doubt this information (as you related it) will be of use to Novell administrators, but only if they understand that security is a priority, and then only if they are given the resources by management to accomplish the task of securing the network. The bigger problem is that securing a network which has been operating in a non-secure manner for some time, is probably more of a political and managerial problem than it is a technical one. Ask anyone who has to do this for a living. >I have quoted the secure settings listed in his paper in one of my >previous messages. Take a look at them, then take a look at the >LANs you have seen. Are they set up in this (secure) way? Till now >only Padgett has succeeded to figure out himself what the secure >settings are... The average supervisor usually makes a mistake or >two, exactly because the secure settings are not obvious. And the >equations that I quoted concern only the effective file rights. If >you try to take into account all inheritance masks, the task >becomes even more difficult. As I stated in my posting, I work in a Banyan environment, Fred's paper has little if any relevance to my environment given that it is Novell specific. Also, it seems that you and others are just getting into networks, be careful that you do not assume that securing a single server represents mastery of the topic. I understand that Padgett may have sufficient experience to make this claim, but I doubt that he is the "only" administrator to succeed in successfully securing his network. :-) >> need to quantify security policy, but taking common practices >> and reducing them to set notation for the sake of publishing a >> paper seems to do nothing to advance the field. >I disagree. The paper clearly lists what the secure settings are, >mentioning why any other settings can be bypassed. It emphasizes >that the ExecuteOnly attribute should not be trusted, because it >can be easily bypassed - and do you know how many Novell LAN users >rely on it for protection? Do you know how many DOS users rely on setting the DOS Attribute to Read-only for protection? But I see that this can be useful. >> 1) Set the access rights for applications drives (file-services) >> to read only for all users including administrators. >> Administrators can always change the permissions back >> temporarily when making updates or changes, but will be >> protected from inadvertently infecting the system in general. >Unfortunately, under Novell NetWare and Unix, the person with >supervisor (root) privileges can bypass the protection, without >having to modify the permissions... I know, and that's a good point. However, I address this with another control in the posting stating that administrators (super- users) should maintain two accounts, one privileged, and one with standard privileges, and that they should use the standard account for day-to-day use. :-) >> Some programs require users to have modification rights to >> applications directories. My experience suggests that most >> programs of this sort can be set up so that users are given >> modify rights to some files which are put in a separate >> directory, and the application itself can still be >> write-protected. This is true for Paradox for >It might be true for Paradox, but it isn't for dozens of other >applications... But I agree with you that such applications have >to be avoided. Vesselin, you are a master of restating the obvious. Is there an echo in here? :-) >> 2) If possible, do away with all file services where multiple >> user's have write-access (except in small groups). "Bit Bucket" >> file services where everyone has write access are good places >> for Trojan Horse programs, companion, and path companion viruses >> (or standard trojans), and, in addition, are hard to manage >> since determining ownership is a problem. If you must have >> these type of file services, limit the number of users (i.e. >> fragment them into smaller chunks, by functional working group >> for example), don't allow any .bat, .com, .exe, files to reside >> in these directories. Any applications, including batch files, >> should reside in write-protected areas. >As I have described in my paper (available by anonymous ftp), >there exists a form of virus attack, involving PATH-companions and >at least one writable directory - be it the user's home directory >on the server, or one of the local workstation's directories. The >attack is not specific to Novell and allows a virus to bypass any >protections and to make all protected applications to look and >behave as if they are infected. Fortunately, the infection does >not spread between users. I see no contradiction with my recommendations, especially since the type of attack you suggest still does not represent a threat to the network if you follow the above guidelines. >> Also, make sure that user's path statements do not contain >> directories where multiple people have write-access. This is >> not only unnecessary, but dangerous as well. >Problem is, the PATH variable cannot be protected at all, due to >the lack of memory protection in Messy-DOS... True, but again, this does nothing to contradict the usefulness of the control I suggest, you merely have suggested another attack which this control does not protect against. Securing a network or any computer is a matter of minimizing risk. There is no such thing as a 100% secure system. I see little point in dwelling on threats which present minimal risk when there are the more likely threats of a disk crash, or accidental erasure, etc. We would do well to address these risks before worrying about the threat of someone re-setting our path variable. >The rest of your suggestions are very sound and should be >carefully followed by all LAN users, regardless of the LAN type. Thanks...I think. The only thing which bothers me about the above statement is that it infers two things, 1) That you are an authority on the subject. If this is so, it is commendable since your postings indicate that you have only recently begun to work with networks; 2) That there are some of my suggestions which are not sound, if so, which ones? Sincerely, Brian Seborg VDS Advanced Research Group ------------------------------ Date: Wed, 30 Sep 92 00:27:51 -0400 >From: "zmudzinski, thomas" Subject: Re: The Hacker Files (Vol 5 #156) Padgett (A. Padgett Peterson) said ... > As a result, I was able to examine the first four issues of > what is billed to be a 12 copy series. They would appear to be being > successful since after the first two issues, the price went up from > US1.95 to US2.20. I don't know who's ripping you off, but the cover price on all four issues to date reads: [US implied] 1.95 CAN 2.50 > As the plot progresses, no hesitation is shown in making > structural changes to NORAD and Pentagon systems. Hey, the artists had no hesitation showing a helicopter [that couldn't hope to fly from DC to Colorado Springs -- but it does] taking off and landing on grass at the Pentagon -- the tarmac helipad should be obvious to anyone driving by on the West side of the Five-Sided Fun Factory. What's a little artistic license ??? [answer: I wouldn't know -- every one I've ever seen has been HUGE !!!] > In short, while entertaining in its fashion, hardly a good > role model for fourteen-year-olds. Item: Issue #4, the letter signed "T." says, in part: >> ... My ultimate goal? Hackerdom. As a result I'm eating >> up anything that's connected with computer science-fiction >> and HACKER FILES is exactly what I'm looking for. >> Do you have the specifics right? Hell, I don't know, but I'll >> tell you this: I bet there are more kids like me hanging on >> every word, trying to learn from your examples. ... >> Watch out for Austin, Texas secret service [sic]! "T." makes your point most eliquently. Some role model! > In other words "The Hacker Files" make a graphic statement > about the worldview of the writer, a statement that is aimed at > impressionable minds and reminds me of the title of a novel by the > late Robert Anson Heinlein: "If This Goes On". RAH's "If This Goes On" [published in 1953!] showed the logical conclusion of televangelism: a theocratic dictatorship -- something I consider FAR more dangerous than hacking, but your heart's in the right place, Padgett. > ps would send a copy of this to DC Comics but no E-Mail address was given. In issue #1 on the second page of "usr/hacker/mail" (what becomes the letters section in later issues), in the upper right-hand corner, Lewis Shiner (the creator of "THE HACKER FILES") says: "These are examples of the intersec- tion I'm trying to get between comics and real programming. Now I want feedback from you. One way is to simply sit down and write a letter to us at the address shown above. Because THE HACKER FILES is spe- cial, you have an alternative. I am in the process of setting up on-line letter columns on both the GEnie and CompuServe bulletin boards. The best of the mail we receive on-line will be reprinted here, alongside the traditional letters that come in envelopes." Mr. Shiner must have been at least half-way successful as three of the letters in issue #4 were posted through GEnie. Try there. Tom Zmudzinski ZmudzinskiT @ UVAX.DISA.MIL "Reality is for people who can't handle science fiction." - variously attributed to Heinlein, Bradbury, or Asimov "Trouble is, we're LIVING science fiction!" - me ------------------------------ Date: Wed, 30 Sep 92 03:44:03 -0400 >From: A.APPLEYARD@fs1.mt.umist.ac.uk Subject: Computer virus used for attempted blackmail >From UK newspaper "Daily Telegraph", Wed. 30 Sept 1992 p4 col4:- A university lecturer tried to blackmail a client company in a dispute over pay by threatening to inject a computer virus into its computer, Newcastle upon Tyne Crown Court was told yesterday. Do.Roy Booth, 28, a computer studies expert, made the threat when the firm, IMEC, of Washington, [a small town in] Tyne and Wear [in NE England, USA!], refused to pay his 400 pound hotel telephone bill after he had flown to Phoenix, Arizona [USA], to develop a program for an American company, the court heard. He had run up the bill in telephone calls to his wife, who was pregnant. Mr.Christopher Prince, prosecuting, said that Booth, of Gateshead, Tyne and Wear, retaliated by placing a message in the company's computer which read: "Files are being suitably modified so that strange things will begin to happen...". Dr.Dooth, of Newcastle University, denies blackmail, but Mr.Prince said: "It may be true that he didn't put the virus into the machine, but the issue is whether he was making a demand for money when menace.". The trial was adjourned until today. ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 159] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253