RISKS-LIST: RISKS-FORUM Digest Sunday 27 March 1988 Volume 6 : Issue 49 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Risks of loss of privacy from stolen computer (PGN) Things that go POOF! in the night (PGN) Virtuous Virus Language (Vin McLellan) Batch Viruses (Brian M. Clapper) Atari ST Virus (Chris Allen via Martin Minow) Rhine floods Communication link; Nightmare Virus Construction Set; CCC hackers revenge threat (Klaus Brunnstein) The Anti-Virus Business, or, This Generation's Snake-Oil? (TMP Lee) [*** I cannot believe how large the backlog is -- and I will be tied up with meetings all next week. Please be patient, and send only the REALLY GOOD STUFF. That would help. PGN ***] The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:, GET RISKS-i.j. Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Fri 25 Mar 88 09:51:03-PST From: Peter G. Neumann Subject: Risks of loss of privacy from stolen computer A thief made off with a $9,000 computer and printer from an office in Walnut Creek CA, and discovered that his victim (Beth Savano) was a tax preparer. In a remarkable display of good will, he returned to her 20 floppy disks containing 150 tax returns that had been stored on the original hard disks. However, he kept the original hard disk. ------------------------------ Date: Fri 25 Mar 88 10:01:24-PST From: Peter G. Neumann Subject: Things that go POOF! in the night The latest technology in check frauds is the use of a chemical that causes the checks to disintegrate shortly after being deposited. Such checks have turned up at banks in the Chicago area and in Tennessee, and were drawn on accounts in California and Tennessee. Typically a new account was opened, the bogus check was deposited, and then a withdrawal was made before the bogus check could bounce. There are of course some comparable techniques in computer systems, using Trojan horses, time bombs, etc., for data or a program to alter its own state. ------------------------------ Date: Thu 24 Mar 88 03:33:20-EST From: "Vin McLellan" Subject: Virtuous Virus Language All of us with a taste for technical history doubtless enjoyed Kevin Driscoll's charming recollection (Risks 6.48) of a 20 year old memory-crunching parasite in COMMON code he labelled a virus. What he described, however, sounds like what the Apple II community in the early '80s widely circulated and described as "worm" code. The Apple worms, like Dirscoll's code-critter, were simply memory crunchers who rewrote themselves successively through the memory (although some had neat graphics of the worm nibbling up the screen and off into memory.) The Apple worms were, despite an identical name, quite different from the "worm" created by Huff et al at Xerox Corporation in 1980; and everything falls far short of the fictional "worm" described by the novelist John Brunner in a 1975 novel. Anyone with a report of an virus that was an actual ancestor to Fred Cohen's 1984 creation at USC -- christened "virus" by Ken Adeleman of RSA fame, one of Cohen's mentors at USC -- could make a welcome addition to the literature by describing it. (Cohen's creation was first described at a 1985 IFIPS conference in Toronto.) Several reports of the NSA's reaction to Cohen's paper clearly indicate that this was a new threat to the Fort Meade spooks who guard the US government's most secure systems, but there may have been prior art unreported somewhere. I haven't yet heard any such tale. I have, however, received many calls from journalists who have been told by respected computer security mavens that this is a decades-old problem. A lot of people who should know better seem to believe, like Driscoll, that any self-replicating program that moves itself to a new location in memory is a "virus." Obviously few have read Cohen. The widely-described IBM "virus" in VNET and Bitnet last December was not, for instance, a "virus." Let's get it straight, folks! A virus is defined by its capability for epidemic contagion. It's a parasite program that attaches itself to another program, effectively turning its victim into a "torjan" which, when executed, seeks out a particular, targeted, pattern of code in any available potential victims (programs) to attach a copy of itself ("infect" them) and make them too "carriers." The virus is merely a medium for contagion; its undeclared mission or task is in other code piggybacked upon it. (Cohen's formal description also emphasizes that a virus can be designed to evolve -- change its form or target -- over generations.) The damn things are going to be with us for a long time, and it would be nice not to lose control of the language as we did with "worms." Anyone got any *relevant* ancient history? Vin McLellan The Privacy Guild (617) 426-2487 ------------------------------ Date: Thu, 24 Mar 88 09:28:05 EST From: clapper@NADC.ARPA (Brian M. Clapper) Subject: Batch Viruses Kevin Driscoll's COMMON Code commentaries in RISKS 6.48 reminded me of a simple and particularly nasty program I encountered while still in college. It consisted of 3 lines of FORTRAN: 10 PRINT 1000 GOTO 10 1000 FORMAT ('+', 132*'-') For those who may not remember, in FORTRAN, a '+' in the first column is carriage control for an overstrike. This small program continually overstrikes 132 dashes on a line printer. Needless to say, if it runs long enough, it can do a fair amount of damage. I was amazed at its simplicity. I made the mistake of mentioning it to a supposedly trustworthy fellow student, one who I thought would share my amaze- ment. He did share the amazement, but he took the matter one step further: He typed it in, submitted a batch job to run it, and directed the output to a high-speed line printer. When he specified the printer id, he made an error, and the output was sent to an unsupervised line printer in the staff area of the computer center rather than to a normal, operator-supervised line printer. The job ran for quite awhile, and caused untold dollars of damage to the printer. Obviously, there should have been no way for a student to send any job to an unsupervised line printer. Had he sent it to one of the standard, operator-supervised line printers, one of the operators would have killed the job soon after it started printing. (Repeated overstriking on a high-impact line printer has a very distinct sound. Further, the operators were known to kill jobs which printed out those fun computer posters we all liked so much in college.) Still, I remember thinking at the time that this type of malicious behavior can be extremely difficult to prevent. Even the CPU-time restrictions placed on the typical student job were insufficient, since this program can do quite a bit of harm in a very short time. (And it did.) As I recall, the student was caught. His punishment was much less severe than I would have thought. I think he was denied further access to the computer building for a few months and had his account taken away. The day after the incident, he told me about it in class. He was really indignant that the computer center staff had taken away his account. Brian M. Clapper, Naval Air Development Center, Warminster, PA ------------------------------ Date: 26 Mar 88 20:48 From: minow%thundr.DEC@decwrl.dec.com (Martin Minow THUNDR::MINOW ML3-5/U26 223-9922) Subject: Atari ST Virus I've attached a long article on an Atari ST virus program, taken from Usenet, adding a few comments (* in column 1) explaining Atari-specific terms. Now, all of the popular personal computers have been attacked by viruses. (It's probably not worth posting as-is to Risks, but you might want to stuff it in your archives and post a summary.) Martin. Newsgroups: comp.sys.atari.st Path: decwrl!labrea!agate!pasteur!ames!nrl-cmf!mailrus!umix!uunet!mcvax!ukc!reading!onion!minster!SoftEng!john Subject: The Atari ST `virus' Posted: 22 Mar 88 15:26:48 GMT Organization: Department of Computer Science, University of York, England I'm posting this for someone who does not have Usenet access. THE ATARI ST VIRUS ================== This weekend I received a number of pd software disks from a computer store. I found that three of these contained the 'ST Virus' that has been mentioned on the net recently. I did not however discover this until it had trashed one disk and infected a very large number of disks. I have since disassembled the virus and worked out exactly what it does and I am posting a summary of what I found here. What The Virus Does =================== When the ST is reset or switched on, it reads some information from track 0 sector 0 of the disk in drive A. It is possible to set up that sector so that the ST will execute its contents. The virus program is written into this sector so that it is loaded whenever the ST is booted on the offending disk. Once loaded into memory the virus locates itself at the end of the system disk buffer (address contained at 0x4c2 I think) and attaches itself to the bios getbpb() function. * * getbpb() returns the operating system parameter block for a disk device. * Every time getbpb() is called, the virus is activated. It tests the disk to see if it contains the virus. If it doesn't then the virus is written out to the boot sector and a counter is initialised. If the disk does contain the virus then the counter is incremented. Once the counter reaches a certain value, random data is written across the root directory & fat tables for the disk thus making it unusable. The virus then removes itself from the boot sector of the damaged disk (destroys the evidence??). * * The "fat table" contains the bitmap of unused sectors. * NOTES ===== Once the virus is installed in the ST it will copy itself to EVERY non write protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - or open a window to it from the desktop. The virus CANNOT copy itself to a write-protected disk. I *think* (but am not certain) that it survives a reset. The current virus does not affect hard disks (it uses the flopwr() call). * * flopwr() writes a sector on a floppy disk (drives A or B). * However, if you are using an auto-boot hard disk such as Supra, and the disk in drive A contains the virus, THE FLOPPY BOOT SECTOR IS EXECUTED BEFORE THE HARD DISK BOOT SECTOR and consequently the virus will still be loaded and transferred to every floppy that you use. THE CURE ======== To test for the virus, look at sector 0 of a floppy with a disk editor. If the boot sector is executable then it will contain 60 hex as its first byte. Note that a number of games have executable boot sectors as part of their loading. However if this is the case then they should not load when infected by the virus. If people are worried about this & haven't been able to get the other killer (I have not seen it yet) then I will post the source/object for a simple virus detector/killer that I have written. OTHER VIRUSES ============= It would appear that this virus is not the end of the story. I have heard that there is a new virus around. This one is almost impossible to detect as for each disk inserted, it scans for any *.prg and appends itself to the text segment in some way. Thus it is very difficult to tell whether or not the virus is actually on a disk..... FINALLY ======= Use those write-protect tabs! Check all new disks! Hopefully we can get rid of this virus totally before it damages something important. Chris Allen. If you want any information, etc etc mail me at: Janet: CJA1@uk.ac.york.vaxa uucp: ...!uunet!mcvax!ukc!minster!CJA1@VAXA arpa: CJA1%vaxa.york.ac.uk@mss.cs.ucl.ac.uk ------------------------------ Date: March 24, 1988 From: Klaus Brunnstein Subject: RISK FORUM: 1. Rhine floods Communication link 2. Nightmare Virus Construction Set 3. CCC hackers revenge threat Organisation: University of Hamburg, FRG, Faculty for Informatics 1. DATEX-P based international computer communication 2 days out-of-operation due to Rhine flood: Access from some West German computers to several networks broke down for 2 days when the Rhine river overflooded its banks after heavy rain falls and sudden snow smelting. The flood damaged the DATEX-P network of German Post (dbp) at Bonn. According to Hamburg protocols, the central node XPS.GMD.DBP was unavailable since March 22, 8.55 (first error message, after last successful transfer on March 21 at 7.10 pm) and the first sucessful transfer on March 23 at 7.22 pm; officially, the network was declared available on March 24 at 2 am. Most German universities and research institutes use this node XPS.GMD.DBP (via their connection to GMD's central distribution computer) exclusively for communication with EDU, COM and other networks. During the breakdown, only EARN and BITNET communication was available for `some time period' (duration unspecified). Receipt of RISK-FORUM editions and this message has also been delayed. 2. `Nightmare Software' and the CeBIT Hannover Fair: Many discussions at the Hannover Fair, labelled "Center for Bureau and Information Technologies" (CeBIT), held in Hannover, FR Germany this year on March 16-23 and said to be the world's largest fair in Information and Communication Technologies, were about Computer-related Risks. A special section had been devoted to "Secure Computer Centers", demonstrating building security measures (TV-cameras, access control with chip cards etc) as well as some ACF software on PC. Some enterprises and the German computer trader COMPAREX exhibited `warm' and `cold' backup computer concepts, and some publications informed on `Vulnerability of Information Economy' (including an article of this author, in the German edition of `Computerweek', which is available by e-mail, on demand, to interested people). After some (often badly informed) articles on `Viruses' in public newsmedia (where the `Israel Virus' of Hebrew University was reported to spread over international computer networks), many people share the fear of `computer illnesses'. One respected German newspaper (FAZ=Frankfurter Allgemeine Zeitung, which often represents official positions) published in its CeBIT-report (March 21st, p.17) a contribution on a program, defined as `Virus Construction Set', named `Nightmare Software', which may be used to construct as well as to detect and delete viruses. The paper writes: `People offering the Virus Construction Set are themselves aware that they `play with the fire'. Program and documentation is only allowed to be given to people older than 18 years, and any liability is strictly denied. People buying the software must also know that application of the `Nightmare Program' is punishable, with up to 5 years in prison. On the other hand, the software traders hope that the knowledge of the `Virus danger' may prevent the respective damage.' Though a growing public awareness about `Vulnerability of Information Society/Economy' should generally be welcomed, the last paragraph of the respective article may produce a new mysticism which may even worsen public awareness. After some sentences on Viruses, their detection and combat (compared how to fight anthrax), the final paragraph follows: `Somehow, the use of medical vocabulary in the context of prosaic computer programs has a `human touch'. The `ordinary citizen' may think that a computer may become as ill as a living body. Moreover: one can defend oneself and fight the infection. On the other side one could say that here, Devil is expelled with Beelzebub.' After past comparisons of computers and human brain (which is the unfortunate inheritance of pioneers like Alan Turing and John von Neumann), unadequate biological analogies (Viruses) may bring up another mysticism which may prevent rational analysis of risks embedded in elementary computer concepts as well as in ill-analysed application packages. 3. Revenge Threat of German Hackers: After the imprisonment of a leading member of Computer Chaos Club (CCC) in Paris, some German hackers may plan `revenge activities'. `Der SPIEGEL', often well informed, cites a Munich hacker: `when I become really angry, nothing may prevent me from heavily confusing their systems' (Der Spiegel, Nr.12, March 21, p.109-111). It seems wise to accurately monitor the access patterns of network-accessible installations. As reported in RISK 6.44, one of the chairmen of (Hamburg-based) CCC, Mr. Steffen Wernery, has been arrested by French police when arriving at Charles de Gaulle airport for a discussion with Philips officials and a subsequent lecture on `the NASA hack' at SECURICOM. In the meantime, the German Criminal Office (Bundes-Kriminal-Amt, BKA), charged with prosecuting possible German participants in the invasion of computers at NASA, CERN and Philips France, said that CCC officials have not participated in the NASA coup. Evidently, the French police had not been informed about this result. The work of CCC is heavily influenced by consequences of the arrest, including heavy differences among CCC officials. Hamburg newspapers report that all CCC money has been spent in extensive, uncoodinated telephone calls between Hamburg and Paris. Moreover, the remaining chairpersons denied Mr. Wernery's wish to sell the story of his arrest for exclusive publication for a high enough prize to cover his defence expenses: while his approach was denied by Hamburg CCC managers, financial problems of Mr. Wernery and the CCC are unsolved. Klaus Brunnstein, University of Hamburg, Faculty for Informatics ------------------------------ Date: Thu, 24 Mar 88 11:41 EST From: TMPLee@DOCKMASTER.ARPA Subject: The Anti-Virus Business, or, This Generation's Snake-Oil? From the 24 March 1988 Minneapolis Star Tribune, front page of the business section: COMPUTER 'VIRUSES' CREATING ENTREPRENEURIAL OPPORTUNITY Steve Gross [Technology editor] Computer 'viruses' are creating an opportunity for firms marketing a remedy in the form of anti-virus software. A virus is a tiny piece of software designed by a programmer who typically seeks to damage someone's computer data, usually at some predetermined future date. Often the virus is planted in free computer programs offered on national computer bulletin boards available to anyone whose personal computer can receive data by telephone. Once the 'infected' program is received from the bulletin board, its virus begins to replicate itself like a biological virus. Each duplicate virus infects other programs and data stored on the computer's floppy and hard disks, erasing all or part of the infected material when the computer's internal clock reaches the predetermined set-off date. If people have made back-up copies of their programs and files, those disks also are infected and will undergo the same disaster when used. Viruses have gotten a lot of publicity lately. Three weeks ago the New York Times reported that computer viruses could become "a science-fiction nightmare come to life" as they move unseen from one personal computer to another across telephone lines or within office computer networks. In the past few months, people who run computer bulletin boards, corporations and even the government of Israel have reported viruses infecting their software. "The biggest source (of viruses) has been contaminated files from computer bulletin boards," said David Buerger, director of the Personal Computer Center at Santa Clara University in California, in an interview this week. In addition, some university students "have been infecting software in the computer labs." These infections represent "a real opportunity" for companies writing anti-virus software, Buerger said. While the anti-virus programs can't eliminate all infections, they can force virus-writers "to be more clever. They'll have to invest more time and effort. "It's like locking the car when you park in a high-crime district. It will stop the kids and the ones who want to take a joy ride. But if it's a professional thief .. the best system won't keep him out of he car." Lloyd Tabb, a software writer for Sophco Inc., in Boulder, Colo. said his firm markets Protec, a $195 virus-detection program that includes features called Syringe and Canary. Syringe injects a harmless virus into a program that checks to make sure no harmful viruses are present. Canary is a program that waits for a virus and stops functioning if it becomes infected, much like the real canaries carried by old-time miners to warn them of poisonous gases. Ron Sturtevant-Stuart, president of Asky, Inc., a software firm in Milpitas, Calif., said his Softlog program matches the current size of computer files against their previous size to check for viruses. The program is licensed to corporations in lots of 100 units for $2,400. Eric Hansen, a vice president of Fridley-based [a Minneapolis suburb] Digital Dispatch Inc., has been quoted in the New York Times and computer industry trade publications as a result of the firm's $199 Data Physician program, which detects and in some cases eliminates viruses. Hansen said viruses have been talked about for years, but are becoming a problem now because "there are a lot more personal computers out there. As more computers move into more people's hands, more persons of evil intent are going to have computer skills. It really only takes one person nationwide writing one of these things and plunking it up on a bulletin board to cause enormous havoc." The Data Physician program, which has been marketed for three years, makes careful measurements of a computer's programs and data files to detect any "alien" computer codes, he said. One portion of the program, called Data MD, creates a list of computer data files to be protected, and watches them while the computer is in operation. Another part called Antigen attaches itself to an individual computer program and checks it for viruses each time it is used. To remove a virus, Antigen erases the bytes of computer data that weren't in a program earlier, he said. A third portion of the program, called Padlock, prevents anything from being written on a storage disk unless the computer operator pushes a button to give permission. However, Hansen said, "there is a way around absolutely everything." Viruses can be tailored to escape detection by specific anti-virus program's he said. To prevent that, "you have to continually change your product so a virus can't go after it." His firm is already trying to develop a foolproof version of Data Physician that couldn't be disabled by a virus before the program had a chance to act, he said. However, anti-virus software makers have one advantage in the war with virus inventors: viruses can't be made too complicated. For example, a virus that could evade several types of anti-virus programs would have to consist of a longer and more elaborate piece of computer code than a non-evasive virus, Hansen said. But, he added, "if you put enough intelligence into a virus to beat every protection scheme, it will get too fat and slow and be detected." ------------------------------ End of RISKS-FORUM Digest ************************