From: Kenneth R. van Wyk (The Moderator) Errors-To: krvw@CERT.ORG To: VIRUS-L@IBM1.CC.LEHIGH.EDU Path: cert.sei.cmu.edu!krvw Subject: VIRUS-L Digest V5 #119 Reply-To: VIRUS-L@IBM1.CC.LEHIGH.EDU -------- VIRUS-L Digest Tuesday, 23 Jun 1992 Volume 5 : Issue 119 Today's Topics: "Do you detect the MtE?" (PC) A problem with F-Prot 2.04 (PC) Lets not forget the "little people" (PC, sort of) 1530 Virus (PC) McAfee VIRUSCAN Mirror sites (PC) pc-emulators and Re: F-PROT & DRDOS (PC & Unix) Hardware protection (PC) Imprecise scanners (PC) Re: Zipped Viruses (PC) Azuma (PC) Yet another McAfee agent goofed... (PC) Drive Conflict with VSHIELD (PC) SCUD Virus ??? (PC) Re: No Frills 2/3 Scanner needed! (PC) Re: Request for Info on PC-Cillin (PC) Re: scan 91 et al - reported as trojan?? (PC) Re: Virus Program for a Macintosh? (Mac) Re: Theoretical questions COMPUTER ETHICS CURRICULUM KIT Call for Papers - EICAR Conference, December 1992 VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. (The complete set of posting guidelines is available by FTP on cert.sei.cmu.edu or upon request.) Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. A FAQ (Frequently Asked Questions) document and all of the back-issues are available by anonymous FTP on cert.org (192.88.209.5). Administrative mail (comments, suggestions, and so forth) should be sent to me at: . Ken van Wyk ---------------------------------------------------------------------- Date: 17 Jun 92 09:04:58 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: "Do you detect the MtE?" (PC) We just got a visit at the VTC from a person who worked for an anti-virus company. He told us that their users keep calling them and ask "Can you product detect the MtE?". So he decided to come and have their product "tested" against the MtE - he wanted a kind of certification that the product is able to detect these viruses... Till now everything seems OK, but their product was not a scanner! It was a monitoring program... :-) Therefore, it had no problems to detect the attempts of the three silly MtE-based viruses to spread. Of course, it completely missed some advanced tunneling viruses like Dir II, but this was not their concern - they "detected the MtE"!... :-) The level of ignorance of some people, as well as the common misconception that "anti-virus program == scanner" has always amazed me... Therefore I decided to post this message, so that at least the readers of Virus-L/comp.virus can get the things right. Most of you probably know already the things that I am going to explain, so sorry for the wasted bandwidth. As Yisrael Radai has posted recently, there are about 13-15 different kind of anti-virus programs. However, most of them can be grouped into three main types: scanners, monitors, and integrity checkers. Scanners are programs that look for a sequence of bytes that is likely to be present in all infected files (because it is present in the virus) and not to be present in the non-infected ones. Scanners are relatively easy to maintain and update, but are unable to detect unknown viruses and tend to be be too large and slow when the number of viruses known to them exceeds a certain limit. The polymorphic viruses are an attack against the scanning programs. They constantly modify themselves, so that each new copy of the virus looks differently. Since there is no sequence of bytes which is present in all variants of the virus, they cannot be detected with a simple scan string. A more advanced (algorithmic) approach must be used. The MtE-based viruses are extremely polymorphic, therefore they pose a problem to the scanners. So the correct question is: "Is your scanner able to detect the MtE?". If the product is really the scanner, then the correct answer is either "yes", or "no" - such things as "in 99.99% of the cases" are nothing more than marketing tricks and mean "no". If the product is not a scanner, then the correct answer is "Our product is not a scanner (it is a monitor, or an integrity checker), so it has no problems to detect the current MtE-based viruses". Stealth viruses are also an attack against the scanners. When active in memory, these viruses subvert the disk access requests to the infected objects, so that they look as non-infected. The correct question here is "Is your scanner able to detect (and possible deactivate) the currently existing stealth viruses in memory?". The monitoring programs constantly monitor those functions of the operating system that are likely to be used by viruses, and either deny them entirely, or each time ask the user for confirmation. Unlike the scanners, they are not virus-specific and need no updating. However they cause a lot of false positive alerts and tend to be too obtrusive to the user. Viruses which attack the monitoring programs are called "tunneling". They are able to "tunnel" through the protection by calling DOS or BIOS directly. Due to the lack of memory protection under DOS, -any- monitoring program can be bypassed. There are about a dozen different tunneling tricks, most of which cannot be stopped. The polymorphic viruses pose no problems to the monitoring programs - if they do not use tunneling, of course. However, a virus could be both polymorphic and tunneling, therefore evading both scanners and monitoring programs. The current three viruses that use the MtE are only polymorphic. They are not tunneling. At last, the integrity checkers periodically compute some kind of checksums of the executable code and watch them for modification. The basic idea is that a virus is a program which infects other programs (according to Fred Cohen's definition) and therefore causes modifications to them. If implemented and used correctly, an integrity checker is able to find any virus. The integrity checkers are not virus-specific, so they don't need updating. Their main problem is that they detect modifications, not viruses, so often cause false positives. Neither the polymorphic, nor the tunneling viruses pose any problems to the integrity checkers. The stealth viruses do however, as well as some other forms of attacks, specific to the integrity checking software. Most of these attacks can be prevented by designing the integrity checker in a more intelligent way. The only problem is that the developpers of integrity checking software must be aware of these attacks and take the necessary steps against them. A paper describing these attacks, as well as what has to be done in order to prevent them, is going to be presented on the Virus Bulletin conference in September. As soon as the paper gets published, I'll make it available for anonymous ftp. The correct question in the case of the integrity checking software is "Is your program aware of the possible attacks against the integrity checking programs and what do you do to stop the stealth viruses?". While the stealth viruses cannot be stopped in all cases (regardless what the marketoids are trying to tell you), several steps can be taken to stop most of the known stealth techniques. Of course, the only foolproof method is to always boot from a non-infected write-protected system diskette before doing any virus hunting. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 17 Jun 92 20:35:04 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: A problem with F-Prot 2.04 (PC) I just tried F-Prot 2.04 on our virus collection. Seems to be amazingly fast and showed a very high detection rate. There is one problem, however. The EXE files infected by any versions of the Dark Avenger virus (1800, 2000, 2100) are recognized correctly, but flagged as e.g., "Infection: Dark Avenger (1800) - Modified (536 extra bytes)". Don't worry if you see this message - it is not a new variant of the virus, but a bug in F-Prot. These viruses are quite widespread, so I thought that I'd better post this publicly. The bug has been reported to Fridrik Skulason, of course. Some other viruses (e.g. SVC) are also flagged as "modified" in the EXE files, but these viruses are not so widespread. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Wed, 17 Jun 92 15:17:40 -0700 From: rslade@sfu.ca (Robert Slade) Subject: Lets not forget the "little people" (PC, sort of) An interesting comment forwarded to me this week ... 13-JUN-1992 20:54 From: MUKLUK::DAVIDPM "David P. Maroun, Vancouver PC LUG editor" Subj: McAfee's SCAN A note on McAfee's SCAN version 8.9B, which I recently tried out: The program requires more memory than previous versions did, and also needs MS-DOS 3 or higher. When I tried running this SCAN under Rainbow MS-DOS 2.01 or 2.11-1, or under IBM PC-DOS 2.1, the program just said it could not open "" to compute a checksum. On the other hand, the program's '/M' option now lets it scan Rainbow memory. Since I usually use '/CHKHI' to scan memory, the advantage is largely lost for me, while the inability to run under MS-DOS (or IBM PC-DOS) 2.xx is a serious handicap. Possibly SCAN can be renamed so that it can find itself under the older versions of the operating systems, but so far I have not been able to determine the required name. ============= Vancouver ROBERTS@decus.ca | Life is Institute for Robert_Slade@sfu.ca | unpredictable: Research into rslade@cue.bc.ca | eat dessert User CyberStore Dpac 85301030 | first. Security Canada V7K 2G6 | ------------------------------ Date: Thu, 18 Jun 92 02:32:07 +0000 From: satmech@ecst.csuchico.edu (satmech) Subject: 1530 Virus (PC) Just recently, I found a few .COM files on my system infected with the 1530 Virus. Norton AV and an old version of scan wouln't detect it, only scan90 and scan91 found it. Can someone tell me more about this particular virus or where to find detailed info on it? Thanks. satmech@cscihp.ecst.csuchico.edu ------------------------------ Date: Thu, 18 Jun 92 03:00:49 +0000 From: ins894r@aurora.cc.monash.edu.au (Aaron Wigley) Subject: McAfee VIRUSCAN Mirror sites (PC) Are there any restrictions on making McAfee's VIRUSCAN software available for anonymous ftp, ie distribution to individual users? I have been making VIRUSCAN available for access by Students at Monash University freely, but recently someone has queriedd the legality. In an obvious Panic I have suspended access to it, pending what I hear. Can anyone refer me to McAfee? Their Internet Email address if they have one, or if need be Snail mail addresses (preferably in Australia). Aaron Wigley ftp@yoyo.cc.monash.edu.au ------------------------------ Date: Thu, 18 Jun 92 15:47:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: pc-emulators and Re: F-PROT & DRDOS (PC & Unix) frisk@complex.is (Fridrik Skulason) writes: > HRZ090@DE0HRZ1A.BITNET (Dr. Martin Erdelen) writes: >>1) What does the message "invalid program" mean? On the same subject , I found F-PROT's heuristics were getting upset over some .COM files recently - which puzzled me until I looked at them... they were copied from a VAX where .COM files are text! (Moral of story: not all .COM and .EXE files on a PC might be PC programs). But corrupted programs are more likely, of course - if the file size is a multiple of 512 bytes it may be that a copy was made some time when disk space was short - not all copying programs delete the partial file in such cases. Another great way to get a corrupted file is to use an old version of BACKUP which puts a whole lot of nuls at the start, then copy the file from diskette instead of use RESTORE. >>2) Several users reported problems when trying to run VIRSTOP (v. >> 2.01) under DR-DOS v. 6.0. > ... > Well, it does not seem to happen on all machines - I know of people > using DR DOS 6, who are using VIRSTOP without any problems whatsoever. Is it related to the order in which things are loaded, or what is loaded, I wonder? And now for something completely different... I've just been playing with a PC emulator for Unix called pcm (free software from Electronetics, Inc; I don't know an address for them). It has some limitations which might be an advantage for virus spotting. I thought of using a Data General DG10 for virus spotting (it has two processors; the 8086 has to ask the minicomputer's permission to access any files; IO is easily trappable). In a similar way this PC emulator (with source, goody gumdrops!) could be tailored to watch for anything out of the ordinary (the only problem at the moment is it traps too much!) Has anyone tried doing such things before? If not, is anybody else interested in the modified emulator (built mainly for Unix environments, it seems)? Mark Aitchison. ------------------------------ Date: Thu, 18 Jun 92 09:25:18 +0000 From: raju@dcs.qmw.ac.uk (Daryanani) Subject: Hardware protection (PC) In recent weeks I've been seeing a growing number of advertisements for boards that plug into PCs and supposedly protect the machine not just from currently known viruses, but from viruses that have not even been written yet. The latest board I've come across is from Certus and is called Novi (or something like that). The first such hardware device I came across last year claimed that it monitored the bus for virus activity at all times & hence stopped them from working. In discussions with some other persons who were interested in stopping viruses we came to conclusion that as far as detection of new viruses was concerned this claim was a load of crap. To me these boards seem especially vulnerable since a virus writer who had access to one can specifically write his virus to detect the presence of the board and circumvent it. Since I'm no expert on viruses, just someone who's has enough problems with them already, I was wondering what those more knowledgeable about viruses than me think about these boards. Raju - -- Raju M. Daryanani raju@dcs.qmw.ac.uk ------------------------------ Date: Thu, 18 Jun 92 11:23:34 -0500 From: Stefano Toria Subject: Imprecise scanners (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) says: > SCAN is -very- unreliable for virus identification. NEVER believe it > anything it says about the virus name, number of viruses found, or the > virus' properties (in VIRLIST.TXT). The only thing it does pretty good > is to tell you whether the object (file or boot sector) is infected > (with anything) or not. > ... > Solomon's Anti-Virus ToolKit has better identification, but still not > good enough (it doesn't always make the difference between variants This is not the first time that I read this assertion, either on VIRUS-L or elsewhere. I would be very much interested in some detailed facts, such as names of strains and variants that SCAN and/or Solomon get mixed up with. Thanks in advance. - ------------------------------------------------------------------------- Stefano Toria | MC-link, Rome, Italy | "Fatti non foste a viver come bruti, Voice: (+ 396) 4180300 | ma per seguir virtute e conoscenza" Fax: (+ 396) 8413057 | - ------------------------------------------------------------------------- ------------------------------ Date: 18 Jun 92 19:00:01 +0000 From: vail@tegra.com (Johnathan Vail) Subject: Re: Zipped Viruses (PC) sbonds@jarthur.Claremont.EDU (007) writes: mwb@wybbs.mi.org (Michael W. Burden) writes: >Even better yet: Make sure you get a clean copy of your anti-virus >tools BEFORE you get infected, put them on a floppy, write protect >it, and NEVER run these programs from the hard disk. Always the best thing to do before starting any sort of virus scanning. Would it be feasible to write a virus defense package that would ONLY run after booting from a clean, write-protected floppy? The programming aspect is fairly straightforward, but would people accept a product like this? Ideally it would include a known clean copy of DOS with it, but this could cause problems with copyright laws, etc. Ideally it would boot itself and not use DOS or BIOS at all. Do all its own disk I/O. Or maybe it would have to use BIOS after all for SCSI and other non-pc-standard disks. Of course, this is only good for scanning which by itself is of limited value. jv Law of Stolen Flight: Only flame, and things with wings. All the rest suffer stings. _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ Date: Thu, 18 Jun 92 15:14:35 -0500 From: Mike 'the one with the grenade' Potaczala Subject: Azuma (PC) I am trying to find out more information about the Azuma virus. I could not find anything on it in the McAfee documentation and McAfee did not detect it. Norton Anti-Virus did find it, but the person who has this virus problem does not have documentation for Norton Anti-Virus and therefore I wasn't able to check it. I would appreciate any information on this virus that is available. ------------------------------ Date: 19 Jun 92 15:30:49 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Yet another McAfee agent goofed... (PC) Hello, everybody! We received yet another bulletin, issued by a McAfee Associates agent. This time he not only misinterprets our test results, but tells plain lies to his customers. Unfortunately, the original text is in German, so I am posting here a rough translation. - ---------cut here-------- Mutating Engine is no longer a danger for protected computers As reported by KIRSCHBAUM SOFTWARE, users of VIRUSCAN should not be afraid of the new generation of mutating or polymorphic viruses. Version 91 (from june 1992) safely detects all viruses developed under use of the fearful mutating engine. Since her first appearance in European BBSes at the beginning of this year, Dark Avenger's Mutating Engine lead to worries among experts. In the past viruses like Jerusalem or Michelangelo had characteristic and unique identifications to detect them. With the Mutating Engine now nearly every programmer is able to write a mutating and therefore hard to detect virus. ... It is not known where exactly from the engine is. ...Dark Avenger took part in this development. Since version 90 VIRUSCAN uses a new virus detection technique, based on statistic and numeric analyses. MTE is detected by its presence instead of a byte by byte check. Due to recent experiences VIRUSCAN was able to detect all viruses build by the Mutating Engine safely. In total VIRUSCAN is now able to detect app. 1300 viruses out of nearly 600 families. Kirschbaum Software supplies more information about the conditions to use McAfee products. Kirschbaum Software GmbH Kronau 15 W-8091 Emmering b. Wbg. - ---------cut here-------- Kirschbaum is an official agent for McAfee Associates in Germany (listed in the file AGENTS.TXT). What he says is a plain lie. VIRUSCAN version 91 is UNABLE to detect the MtE-based viruses reliably. The tests of the VTC-Hamburg clearly demonstrated it. The following programs SUCCEEDED to detect ALL Fear (an MtE-based virus) mutations that were generated during the tests (9468): UTScan 23.00.12 (the scanner from Untouchable) F-Prot 2.04 FindVirus 4.20 and above (the scanner from Dr. Solomon's Anti-Virus ToolKit) VirHunt 3.1A (the scanner from Data Physician Plus) VIRSCAN 2.2.3A (IBM's scanner) AntiVir IV 4.03 of June 9, 1992 (reports two viruses if the virus is not encrypted) Note that our tests are not able to prove that a particular scanner detect the virus in all cases; they are only able to find if it is NOT able to detect the virus reliably. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Mon, 22 Jun 92 10:23:20 +0700 From: Vincent Tracey Subject: Drive Conflict with VSHIELD (PC) Hello Netters, HELP!! I loaded the McAfee Vshield 4.9V91 onto Zenith 248 systems with the /CHKHI switch set. The VShield programs are in a separate directory C:\mcafee which is included in the autoexec.bat path command. These systems run MS DOS 3.30, BIOS 3.30.05 and a config.sys of 25 files and buffers. No devices are loaded via autoexec or config files. My problem is - when searching diskettes via DIR A: - the floppy drive (360K) returns a directory listing of the first disk, when a second diskette is searched the listing from the first diskette is returned. When Vshield is deleted from the system the directory listings work fine. We have had several virus attacks recently (Jer B and Stoned variant - :-( , and our higher headquarters requires McAfee protection be used. I am not schmart enough to figure out the problem. Any/ALL help will be greatly appreciated. Please respond via e-mail to below addresses. Also I am interested to know if anyone else has experienced this problem. Thanx, Vincent Tracey E-mail: traceyv@heidelberg-emh2.army.mil Security Investigator aeusg-hd-po-s@heidelberg-emh2.army.mil BSB-HD Security Office Phone: (049)6221-57-8054/6456 APO AE 09102 DDN 370-8054/6456 /////////// INFORMATION SYSTEM'S SECURITY IS EVERYONE'S BUSINESS \\\\\\\\\\\\ ------------------------------ Date: Tue, 23 Jun 92 01:44:03 +0000 From: fveillet@sobeco.com (f.veillette) Subject: SCUD Virus ??? (PC) Hi There! A friend of mine without Net access, asked me some infos about the SCUD virus on PCs. I don't know much about viruses, then the question is: Where can I find a scanner and a disinfectant program (a Patriot???) for this virus? Thanks in advance for your help. - -- Francois Veillette fveillet@sobeco.com ------------------------------ Date: 23 Jun 92 07:49:59 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: No Frills 2/3 Scanner needed! (PC) chore@neumann.une.oz.au (Prince Of Darkness) writes: > I have a suspicion that i have the No Frills virus on my pc, i've been > looking for a scanner to find out for sure, but have been unable to > find one, can anybody help.....It's no frills vers 2 or 3, and i've > heard it can do screwy things to your FAT, i've had nothing really bad > happen yet, but a friends computer has, and so have others he's had > contact with, so i think he may have given it to me, are there any > non-comercial scanners out there that can detect No frill sna d kill > it? If not what's the best (qand cheapest) commercial scanner that > will get rid of it? How could I help you if you do not provide enough information? Here are a couple of questions: 1) Why exactly do you think that you have a virus? Any symptoms that make you think so? 2) Why do you think that the virus is called "No Frills"? I have never heard about a virus with such name... 3) What anti-virus software are you using (name, brand, version number, mode in which you are using it)? For more information about how to reports a possible infection and what information to provide if you want the people who are knowledgeable about computer viruses to be able to help you, please read the FAQ list. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Jun 92 07:54:30 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Request for Info on PC-Cillin (PC) aeusg-hd-po-s@heidelberg-emh2.army.mil (Vincent Tracey) writes: > Has anyone any information concerning a virus protection system > called ** PC-cillin **. Yes, I have played a bit with the package. I do not recomend it. > The only information I have is a claim that it > can - stop - all known virus'- ?:^( Nonsense. The version that I have is even unable to stop the Dir II virus. > The package includes an RS 232 device > for *trapping* virus'. Not exactly. It includes a dongle with some CMOS RAM in which it stores the partition table data (only the data, not the entire MBR!) and a checksum for the MBR. The idea is to automatically restore it if a virus messes it up. This is very insecure; can be fooled relatively easily; leads to a disaster if a practical joker exchanges the dongles of you computers and so on. Except that, the package is generally a monitoring program (a la FluShot). It claims to use Artificial Intelligence (!) to detect virus-like behaviour. In fact, it is a simplistic rule-based system (6 rules and no learning), which decides whether the detected behaviour is really due to a virus. Causes less false positive alerts than most other monitoring programs, but can be bypassed just as easily, using only a combination of the known virus techniques. My guess is that the dongle trick aims to prevent pirating of the software - it is much more secure and advisable to store a copy of the boot sectors on a floppy, instead of in a dongle. I have spoken several times with both the developpers of the product and the distributors, explaining them how their product can be bypassed, what can be done to make this at least a bit more difficult, and why it is not wise to make claims like "stops all possible viruses". They never took my advice. As a conclusion: an insecure and generally bad product, which provides a false sense of security. Don't buy it. > Any assistance in this matter is appreciated. Hope the above helps. Note that it is my own oppinion and impression of the product. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: 23 Jun 92 08:07:18 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: scan 91 et al - reported as trojan?? (PC) tyers@rhea.trl.OZ.AU (P Tyers) writes: > site I would appreciate comment. The versions I distributed were sourced > from the mirror site archie.au and the validate results matched the message > on comp.virus (Message-ID: <0019.9205301711.AA42463@CS1.CC.Lehigh.EDU> > Date: 28 May 92 23:21:22 GMT) from mcafee Associates. > All executables passed a scan by scan89b as well. > Do I have a potential problem? Probably not. The VALIDATE checksums are relatively easy to forge, but nobody has done it yet. The main problem is to get the checksums from a reliable source - and comp.virus is one. The trojanizations of the program that I have seen (with other versions) involved forging the documentation which lists the checksums, the -AV autentification of the ZIP archive, and SCAN's internal self-check routine. You have no way to protect yourself from the last two. The only way to protect yourself from the first one is to get the checksums from a reliable source (different from the package). This still does not exclude the possibility to modify the program in such a way that neither their size nor their checksums change, but it makes it rather unlikely, since it will involve writing a virus which does not modify the file size and forging a CRC which is a LCM of two CRC-16s. Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ------------------------------ Date: Sat, 20 Jun 92 01:12:00 +0000 From: lev@rsdps.gsfc.nasa.gov (Brian S. Lev) Subject: Re: Virus Program for a Macintosh? (Mac) I wrote... >One that I like a *lot* is John Norstad's "Disinfectant" (currently at >version 2.8) -- it's free, and it works! It's available via FTP from >an almost infinite variety of sites on the Internet... if you have a >problem doing FTPs, contact me and I'll be glad to send you a copy of >the "MacSecure" anti-viral tool kit we use here at Goddard (it's based >on Disinfectant and includes some neat HyperCard stacks as well). Well, I've gotten several requests, so here's the MacSecure info I so conveniently left out... The package is available via Annonymous FTP and/or DECnet COPY as follows: via Anon FTP: - ------------ % FTP nic.nsi.nasa.gov (...or you can use the address 128.183.112.71) NSINIC.GSFC.NASA.GOV> user anonymous Password: (your Email ID) NSINIC.GSFC.NASA.GOV> cd [.SOFTWARE.MAC] (this is a VMS system, use brackets!) NSINIC.GSFC.NASA.GOV> get MACSECURE35.HQX (binhexed version, use ASCII mode) -- or -- NSINIC.GSFC.NASA.GOV> get MACSECURE35.SEA (self-extracting archive, use BINARY transfer mode) via DECnet COPY: - ---------------- COPY NSINIC::DISK$NSINIC:[ANONYMOUS.FILES.SOFTWARE.MAC]MACSECURE34.HQX -- or -- COPY NSINIC::DISK$NSINIC:[ANONYMOUS.FILES.SOFTWARE.MAC]MACSECURE34.SEA That's it! If anyone has questions, feel free to Email me... - -- Brian Lev +----------------------------------------------------------------------------+ | NASA SCIENCE INTERNET NETWORK INFORMATION CENTER | | Code 930.6, Goddard Space Flight Center | | Greenbelt, MD 20771 USA | +----------------------------------------------------------------------------+ | Phone: 301-286-7251 FAX: 301-286-5152 | | NSINIC::NSIHELP or help@nic.nsi.nasa.gov or NSIHELP@DFTBIT | +----------------------------------------------------------------------------+ ------------------------------ Date: Thu, 18 Jun 92 12:15:00 +1200 From: "Mark Aitchison, U of Canty; Physics" Subject: Re: Theoretical questions BAN@hdc.hha.dk (Homo homini lupus!) writes: > 3) Cohen notes a weakness in his defence model S3 (p. 155; Fred Cohen: > "Models of Practical Defences Against Computer Viruses", Computers & > Security, vol.8, no.2, s.149-160, 1989 ) - S3 is based on a checksum > approch, which means that checksum( pi ) = checksum( pj ) for some > programs pi and pj of a length greater than the checksum [my inter- > pretation]. Relating that to the fact that most intregity checkers > today is checksum based, and to the discussion considering MtE and > 100% detection, isn't this a fundamental weakness in the checksumming > concept. Yes, but (assuming the checksum is long enough, and it isn't a trivial "sum" which could be recalculated by a virus, so you're into the area of viruses simply being lucky) the probability can be made very low (comparable with a yellow and green 747 piloted by an eskimo falling from the sky and hitting the computer). > 4) When using MtE to exploid the "not 100% detection weakness" of > scanners, it would seem worthwhile to give one own mutation a higher > probability. This means, that if five programs survive the scanning > in the first round, and each make say three times more copies of it > self than of other permutation, it will mean approx. 20 will survive > round two. This is exponential growth rather than as before linear > growth (of course this will not increase the chance of survival in a > checksumbased check). Yes, that would prompt people to take "proper" action when getting such a virus. I'm not a great fan of disinfecting infections - rather reload the originals of everything, but there's still going to be the need for either your idea or a true 100%-detecting scanner (since backups might be infected). There still is a problem, of course ... even if a scanner gets 100% of MtE there could be other ones (MtE2??) it doesn't know about. Mark Aitchison. ------------------------------ Date: 22 Jun 92 17:25:31 +0000 From: maner@andy.bgsu.edu (Walter Maner) Subject: COMPUTER ETHICS CURRICULUM KIT TEACHING SOCIAL AND ETHICAL IMPLICATIONS OF COMPUTING: A "STARTER KIT" The Research Center on Computing and Society at Southern Connecticut State University and Educational Media Resources, Inc. (a not-for-profit organization specializing in educational programming) have assembled a "Starter Kit" for teachers who wish to introduce social and ethical implications of computing into their computer science or computer engineering classes. The "Kit" can also help computer science departments fulfill national accreditation requirements (CSAC/CSAB). The "Starter Kit" includes three video tapes and two monographs: VIDEO TAPES: No. 1--Teaching Computing and Human Values (45 min.) No. 2--What Is Computer Ethics (45 min.) No. 3--Examples and Cases in Computer Ethics (45 min.) MONOGRAPHS: No. 1--Teaching Computer Ethics (110 pages) No. 2--Computing and Social Responsibility: A Collection of Course Syllabi (142 pages) Further information is available from the Research Center on Computing and Society at Southern Connecticut State University: E-Mail: RCCS@SCSU.CTSTATEU.EDU Phone: (203) 397-4423 (Center and answering machine) FAX: (203) 397-4681 Walter Maner - -- InterNet maner@andy.bgsu.edu (129.1.1.2) | BGSU, Comp Science Dept Relays maner%bgsu.edu@relay.cs.net | Bowling Green, OH 43403 maner%bgsu.edu@nsfnet-relay.ac.uk | 419/372-2337 Secretary BITNet MANER@BGSUOPIE | 419/372-8061 Fax ------------------------------ Date: Mon, 22 Jun 92 10:07:56 +0600 From: ry15@rz.uni-karlsruhe.de Subject: Call for Papers - EICAR Conference, December 1992 CALL FOR PAPERS 3rd annual EICAR - Conference December 7th-9th, 1992 in Munich Germany EICAR (European Institute for Computer Anti-Virus Research) will hold its 1992 conference on computer viruses and related threats to information technology. The conference will be held in the Park-Hilton Hotel in Munich. Dates: draft paper deadline: September 11th 1992 notification of acceptance: October 4th 1992 final paper: October 25th 1992 conference: December 7th-9th 1992 General Chair: Dr. Paul Langemeyer, Siemens Nixdorf International AG Program Chair: Christoph Fischer, University of Karlsruhe Scope: The conference addresses the malicious software aspect of IT-security. The first day is an optional tutorial seminar on computer viruses and similar software threats. The second day will carry tracks covering retrospective and state-of-the-art information. The theme of the third day is future trends. The conference will end with a panel discussion. Topics: * virus trends * anti-virus technology * testing antivirus software * virus naming * network security * system security * backup measures * risk assessment * corporate strategies * disaster recovery plans * malware incident handling * international cooperations * case studies * educational tasks * impact on technology * epidemiology * forensic procedures * legal aspects * social implications * ethics Conference Format: Introductory day (optional): December 7th Tutorial Seminar Main Conference: Two tracks (technical and non-technical) December 8th retrospective and state-of-the-art papers December 9th future trends papers Panel Discussion Submission: Submissions should be received by the program committee no later than September 11th 1992. After the formal peer review procedure the submitters will be notified by the program committee October 4th. Final papers are due by October 25th. Abstracts should be no longer than 1500 words (5 double spaced pages) and can be sent in as paper, e-mail, ascii file on PC disk, or FAX. Final paper: The final version of the paper should be either an ascii-file or a LaTeX file. Graphics (photos only if absolutely necessary) should be on separate sheets in high quality or as LaTeX, Postscript, HP-PCL (Laserprinter) or HP-GL file. Slides and overheads must be included as a b&w reproduction. Each author or the presenting author of groups must send in a short biography and a passport type photograph. Addresses: EICAR Office: EICAR ! c/o Siemens Nixdorf AG ! Dr. Ing. Paul Langemeyer ! Otto-Hahn-Ring 6 ! D-8000 Muenchen ! (+49) 89 636 82 660 (voice) Germany ! (+49) 89 636 82 824 (FAX) Program Committee: University of Karlsruhe ! (submissions) Rechenzentrum ! Micro-BIT Virus Center ! Christoph Fischer ! Zirkel 2 ! (+49) 721 37 64 22 (voice) D-7500 Karlsruhe 1 ! (+49) 721 32 55 0 (FAX) Germany ! ry15@rz.uni-karlsruhe.de ------------------------------ End of VIRUS-L Digest [Volume 5 Issue 119] ****************************************** Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Macyour he, of Mac Downloaded From P-80 International Information Systems 304-744-2253