It would have been unfair to exclude Ferguson from the contest but the editors of the newsletter are too busy to judge the expanded field of entrants, so we decided to cancel. Hey, cool it wontcha, guys?? But, on more serious matters, we excerpt a tiny segment of one of Sara Gordon's mid-September FIDO flames for further comment: "...if you are interested in keeping information free, then learn to be responsible with its use. your freedom to information does not include the right to destroy it. its [sic] MY information too, and its [sic] not YOUR right to rip it up. "if you think killing people is cool, and are aware of the implications of your actions,i.e. knowing that your virus could wipe out some hospital database in some third world country, or even in u.s.a. in appalachia, where they cant [sic] afford backups, and effectively be responsible for the deaths of innocent people, then write them." WHoah! Whoah! Whoah! Sara! What a stretch. Let's entertain that fool claim for a moment. Do you think a backwoods hospital would have computers, but no hard copy system? (What if a fire broke out in "RECORDS"?) But even if we let that slide for the sake of the argument, let's consider a different tool of destruction. Arms. The U.S. sell arms to lunatics on the left and right in "Third World Countries." Does anyone who makes them in this country get held responsible, or even LOSE ANY SLEEP, when civilians get blown away by the same guns in any number of mindless civil wars? Of course not, BECAUSE IT'S THE AMERICAN WAY TO BE AN INCONSIDERATE, HYPOCRITICAL LOUSE. So, jumping back to computer viruses, which are decidedly more trivial than the business end of a Claymore mine, it's totally ludicrous to even presume that virus programmers are "effectively responsible for the deaths of innocent people." Far better to waste your time, if you must Sara, arguing with the arms merchants than virus programmers, we think. In fact, The Crypt Newsletter decided to back this up with a little research on virus strikes in hospitals. Now keep in mind, although our skills are much vaunted, we're still a relatively new publication and your results may differ. Still, this is the best we could come up with - two small newspieces purloined from CSERVE (who in turn purloined them from the New England Journal of Medicine) ca. 1989. What follows is transcript: --------------------------------- HOSPITAL STRUCK BY COMPUTER VIRUS --------------------------------- (March 22) - 1989 Data on two Apple Macintoshes used by a Michigan hospital was altered recently by one or more computer viruses, at least one of which apparently traveled into the system on a new hard disk that the institution bought. In its latest edition, the prestigious New England Journal of Medicine quotes a letter from a radiologist at William Beaumont Hospitals in Royal Oak, Mich., that describes what happened when two viruses infected computers used to store and read nuclear scans that are taken to diagnose patients' diseases. The radiologist, Dr. Jack E. Juni, said one of the viruses was relatively benign, making copies of itself while leaving other data alone. However, the second virus inserted itself into programs and directories of patient information and made the machines malfunction. "No lasting harm was done by this," Juni wrote, because the hospital had backups, "but there certainly was the potential." Science writer Daniel Q. Haney of The Associated Press quoted Juni's letter as saying about three-quarters of the programs stored in the two Mac II PCs were infected. Haney said Juni did not know the origin of the less harmful virus, "but the more venal of the two apparently was on the hard disk of one of the computers when the hospital bought it new. ... The virus spread from one computer to another when a doctor used a word processing program on both machines while writing a medical paper." Juni said the hard disk in question was manufactured by CMS Enhancements of Tustin, Calif. CMS spokesman Ted James confirmed for AP that a virus was inadvertently put on 600 hard disks last October. Says Haney, "The virus had contaminated a program used to format the hard disks. ... It apparently got into the company's plant on a hard disk that had been returned for servicing. James said that of the 600 virus-tainted disks, 200 were shipped to dealers, and four were sold to customers." James also said the virus was "as harmless as it's possible to be," that it merely inserted a small piece of extra computer code on hard disks but did not reproduce or tamper with other material on the disk. James told AP he did not think the Michigan hospital's problems actually were caused by that virus. --Charles Bowen [October's Crypt National Dummkopf] ------------------------------ MORE HOSPITALS STRUCK BY VIRUS ------------------------------ (March 23) - 1989 The latest computer virus attack, this one on hospital systems, apparently was more far- reaching than originally thought. As reported here, a radiologist wrote a letter to the New England Journal of Medicine detailing how data on two Apple Macintoshes used by the William Beaumont Hospital in Royal Oak, Mich., was altered by one or more computer viruses. At least one of the viruses, he said, apparently traveled into the system on a new hard disk the institution bought. Now Science writer Rob Stein of United Press International says the virus -- possibly another incarnation of the so-called "nVIR" virus -- infected computers at three Michigan hospitals last fall. Besides the Royal Oak facility, computers at another William Beaumont Hospital in Troy, Mich., were infected as were some desktop units at the University of Michigan Medical Center in Ann Arbor. Stein also quoted Paul Pomes, a virus expert at the University of Illinois in Champaign, as saying this was the first case he had heard of in which a virus had disrupted a computer used for patient care or diagnosis in a hospital. However, he added such disruptions could become more common as personal computers are used more widely in hospitals. The virus did not harm any patients but reportedly did delay diagnoses by shutting down computers, creating files of non-existent patients and garbling names on patient records, which could have caused more serious problems. Dr. Jack Juni, the radiology who reported the problem in the medical journal, said the virus "definitely did affect care in delaying things and it could have affected care in terms of losing this information completely." He added that if patient information had been lost, the virus could have forced doctors to repeat tests that involve exposing patients to radiation. Phony and garbled files could have caused a mix-up in patient diagnosis. "This was information we were using to base diagnoses on," he said. "We were lucky and caught it in time." Juni said the virus surfaced when a computer used to display images used to diagnose cancer and other diseases began to malfunction at the 250-bed Troy hospital last August. In October, Juni discovered a virus in the computer in the Troy hospital. The next day, he found the same virus in a similar computer in the 1,200-bed Royal Oak facility. As noted, the virus seems to have gotten into the systems through a new hard disk the hospitals bought, then spread via floppy disks. The provider of the disk, CMS Enhancements Inc. of Tustin, Calif., said it found a virus in a number of disks, removed the virus from the disks that had not been sent to customers and sent replacement programs to distributors that had received some 200 similar disks that already had been shipped. However, CMS spokesman Ted James described the virus his company found as harmless, adding he doubted it could have caused the problems Juni described. "It was a simple non-harmful virus," James told UPI, "that had been created by a software programmer as a demonstration of how viruses can infect a computer." Juni, however, maintains the version of the virus he discovered was a mutant, damaging version of what originally had been written as a harmless virus known as "nVIR." He added he also found a second virus that apparently was harmless. Hmmmmm. Pretty slim pickin's, Sara Gordon. No fatalities, no injuries, no nothing. A lot of 'but if's', though. But at the Crypt Newsletter we don't count 'but if's'. 'But if's' are the domain of mediocre bureaucrats, Pentagon nuclear war planners, corporate stiffs and American double-knit upper management types. However, here at the editorial bungalow, we know you were riled on the FidoNet when you e-mailed the now deemed idiot observation about virus programmers being "effectively responsible for the deaths of innocent people," so we won't give you this issue's "National Dummkopf" award. It's Charles Bowen's (for reasons described below). Your rep remains unblemished. All readers are invited to e-mail any evidence of "computer virus induced human death" to the Crypt Newsletter at any time. We'll put it in a news piece called, appropriately, "Computer Virus Induced Human Death (or Man Bites Dog)" That has a nice ring, don't you think? *************************************************************************** PITY CSERVE's CHARLES BOWEN, HE CAN'T TALK AND CHEW GUM AT THE SAME TIME. AND THAT'S WHY CRYPT NEWSLETTER REPRINTS THIS STORY WITHOUT PERMISSION BUT WITH A "BOWEN TRANSLATION" SO THAT YOU ALL MIGHT BENEFIT. YOU GOT IT, CHARLES BOWEN GET'S THIS ISSUE's 'NATIONAL DUMMKOPF' AWARD!! HE CAN SHARE IT WITH JEFFREY O. KEPHART OF IBM's HIGH INTEGRITY COMPUTING LAB, AS YOU SHALL SEE. {Comments in []'s by URNST KOUCH} ************************************************************************** CSERVE's Online Today, Sept. 8, 1992 SPREAD OF VIRUSES SLOWER THAN SOME THINK, IBM RESEARCH SUGGESTS (Sept. 8) A study conducted by an IBM computer scientist at the Thomas J. Watson Research Center suggests computer viruses may spread more slowly and less widely than some current estimates project. IBM said in a statement from Yorktown Heights, N.Y., that an immediate implication of the work "is that the computer virus problem will not become explosively rampant as some experts [WHO??] have predicted on the basis of conventional epidemiological models that overlook important constraining factors." IBM said the discrepancy in projections arises from "topology," that is, the structure of the connectedness among individuals in the population through which infection spreads. [You said a mouthful.] Jeffrey O. Kephart of IBM's computer sciences department, said the importance of topology in analyzing the way things like viruses and rumors [What the Hell is this nonsense? Viruses are related to rumors?] Mebbe so, mebbe so. But you're gonna have to go back to Michelangelo for that story.] spread in a population is seldom taken into sufficient account. Kephart said most epidemiological projections of the spread of viral infections -- in people as well as in computers -- are based upon the assumption of a fully-connected world: in effect, a world in which everyone is connected to everyone else. [No, not true. "Epidemiology" generally deals with the spread of disease in living populations where every member of the affected group is thought to have some potential for contracting the "bug." This "everyone connected to everyone else" stuff is bogus.] For example, members the "homogenous-mixing" topology makes epidemiology easy, he observed, but is obviously not realistic. [Eh? Good jargon, though. Your guess is as good as mine and I KNOW something about this stuff.] Nonetheless, says IBM, Kephart's research "shows that it works rather well for certain kinds of infectious diseases, particularly air-borne ones like influenza." [Does it? Evidence? Where is it?] He says computer-virus infections present quite a different story, noting that they are usually spread by friends exchanging disks that contain the virus. [Isn't this rather reminiscent of the popular description sof how the AIDS virus is transmitted? So just how is computer virus spread different? It'c certainly not clear at all here.] Kephart, a member of IBM's High Integrity Computing Laboratory, says the kind of connectedness that characterizes the spread of computer viruses is thus not homogenous but local. In this topology, "individuals connect not to everyone else but only to their nearest neighbors who [have compatible computers, and] in turn, are connected [only] to their neighbors [who have compatible computers], and so on," says the statement. [I'm sure this is what Kephart really means.] "The effects of different topologies on the spread of an infection becomes striking when the homogenous-mixing and local models are compared. In a fully-connected, homogenous population, Kephart explained, an infectious disease spreads exponentially -- explosively -- and all-encompassingly. [Bah. This is unadulterated horse shit. Most examples of disease never spread in this manner, but, then, there goes the story! The spread of disease in human populations is remarkable for its variability, not homogeneity. If what he says happens were true, we'd all die of cholera everytime there's an outbreak in Peru.] In a local topology, he said, infection is transmitted sparsely, from each individual to just a few others." --Charles Bowen [While Kephart's research is doubtless interesting, you'd never know it from Bowen's short, tangled mess. Full of jargon and bullshit, all you can get from it is that computer viruses, on the whole, are restricted to local outbreaks. Big deal, didn't we already know that? Perhaps a better word for characterizing computer virus infection is the term "smoldering." While this is only from personal experience, it seems virus infections "smolder" on a local basis, mostly unseen and untrackable, but very occasionally erupting into runaway outbreaks which disrupt school systems, corporate workplaces, and probably most often, the private home where some chowderhead is engaged in obsessive/compulsive software piracy. 'Smoldering,' BTW is a term epidemiologists often use to describe various natural infections.] -*- ************************************************************************** AND IN CASE YOU DIDN'T KNOW WHERE WE GOT THE IDEA FOR THE 'NATIONAL DUMMKOPF' AWARD, THIS REPRINT OF THE US NEWS & WORLD REPORT/IRAQI COMPUTER VIRUS BOONDOGGLE MAY REFRESH YOUR MEMORY ************************************************************************** From CSERVE's OnLine Today, Sept 11, 1992 [No, I don't know why they've chosen to reprint it now.]: Monitor - {comments in [] by URNST} US HIT IRAQI COMPUTERS WITH VIRUS BEFORE GULF WAR, MAGAZINE SAYS (Jan. 11) A weekly news magazine is reporting US intelligence agents inserted a virus into a network of Iraqi computers tied to that country's air defense system several weeks before the start of the Persian Gulf War a year ago. US News and World Report, citing two unidentified senior US officials, reports in its issue dated next week the virus was designed by the supersecret National Security Agency at Fort Meade, Md., and was intended to disable a mainframe computer. The magazine says the virus appeared to have worked, but gave no details. The report is part of a book, based on 12 months of [somewhat shakey] research by US News reporters, called "Triumph Without Victory: The Unreported History of the Persian Gulf War," to be published next month. The magazine also said the virus operation may have been irrelevant because of the allies' overwhelming air superiority. It reported the secret operation began when US intelligence agents identified a French-made computer printer that was to be smuggled from Amman, Jordan, to a military facility in Baghdad. The Associated Press, quoting the magazine report, says, "The agents in Amman replaced a computer microchip in the printer with another microchip that contained the virus in its electronic circuits. By attacking the Iraqi computer through the printer, the virus was able to avoid detection by normal electronic security measures, the report said." The magazine goes on, "Once the virus was in the system, the US officials explained, each time an Iraqi technician opened a `window' on his computer screen to access information, the contents of the screen simply vanished." --Charles Bowen WAS REPORT OF US VIRUS ASSAULT ON IRAQI SYSTEM BASED ON A SPOOF? (Jan. 14) A 1991 April Fools Day spoof in a computer magazine has writers and editors at US News and World Report rechecking sources on its report that the US inserted a virus into a network of Iraqi air defense computers several weeks before the start of the Persian Gulf War. As reported earlier, the news magazine cited two unidentified senior US officials in reporting the alleged virus was designed by the supersecret National Security Agency at Fort Meade, Md., and was transmitted by a printer smuggled into Baghdad. The magazine said the virus appeared to have worked, but gave no details. However, Associated Press writer Robert Burns reports today, "Trouble is, a computer industry publication, InfoWorld, sketched out a strikingly similar scenario in a column that ran in its April 1, 1991, issue. That article was an April Fool's joke, pure fantasy dreamed up by writer John Gantz." This news has the folks at US News and World Report concerned. The main author of the magazine's report, Brian Duffy, told Burns, "I have no doubt" US intelligence agents carried out such an operation, though he acknowledged the similarities with the InfoWorld article were "obviously troubling." Duffy said the magazine is rechecking its sources to determine whether details from InfoWorld's spoof "leeched into our report." [No news on whether desktop PC's at US NEWS & WORLD REPORT were infected by a LEECH virus variant.] As noted, US News said in print it had learned from unidentified US officials that intelligence agents placed the virus in a computer printer being smuggled to Baghdad through Amman, Jordan. It said the printer, described as French made, spread the virus to an Iraqi mainframe computer that the magazine said was critical to Iraq's air defense system. Burns notes the InfoWorld article was not labeled as fiction but "the last paragraph made clear that it was an April Fool's joke." [What does this mean: Said [article] was not labeled as fiction but "the last paragraph made clear it was an April Fool's joke"? See Orwell's "1984" for other good examples of "newspeak/doublespeak."] Gantz, the InfoWorld author, told Burns his article was "totally a spoof," and that he had no knowledge of any such intelligence operation. Burns said questions about the accuracy of the US News story arose yesterday "when a number of readers called The AP to say the virus account was curiously like the InfoWorld article, which Duffy said he hadn't previously seen." [And monkeys are flying out my ass.] The InfoWorld spoof said the virus was designed by the National Security Agency for use against Iraq's air defense control system, and that the CIA had inserted the virus into a printer being smuggled into Iraq through Jordan before the Persian Gulf war began last January. The article continued, "Then the virus was on its own, and by Jan. 8, the allies had confirmation that half the displays and printers in the Iraqi air defense system were permanently out of commission." The US News report also said the virus was developed by the National Security Agency. Both the publications stressed the reason for placing the virus in the printer was to circumvent normal anti-tampering systems in mainframe computers. AP noted, however, some private computer experts said it seemed highly unlikely that a virus could be transferred to a mainframe computer from a printer. Winn Schwartau, executive director of the International Partnership Against Computer Terrorism, observed, "A printer is a receiving device. Data does not transmit from the printer to the computer." [Winn Schartau, obviously a cool guy, knows a line when he hears it.] --Charles Bowen MAGAZINE STICKS TO ITS GUNS ON ITS PERSIAN GULF WAR VIRUS STORY (Jan. 17) Contending it has re-checked its sources, US News & World Report says it is standing behind its original story that US intelligence agents tried to disable an Iraqi military network with a computer virus transported to Baghdad in a printer just before the start of the Persian Gulf War. The Associated Press reports the magazine said it had confirmed the attempt was made, as reported in its Jan. 20 issue, but had not been able to determine whether the virus attempt was successful. That original story was called into question when journalists noted its striking [I saw both articles. "Striking similarity" aren't the words I would use. How about "so exact it's plagiarism."] similarity to a 1991 April Fools Day spoof published in the computer magazine, InfoWorld. AP quoted US News editors as saying in a statement, "We took seriously questions which were raised about the accuracy of this story and have re-reported it. We have confirmed that, as we reported, a high-level intelligence operation based in Jordan was targeted at Iraqi air defenses. As we reported, a computer virus was inserted into a French-made computer printer that was to be smuggled into Iraq to disable its air defense system. What cannot be confirmed is whether the operation was ultimately successful." [LIARS.] Brian Duffy, the magazine's assistant managing editor for investigative projects, told the wire service the original sources believed the system must have worked because Iraqi air defense guns opened up before any US airplanes had appeared. [Liar, liar, pants on fire. How does that prove anything? Mebbe the Iraqis were jumpy is a far better explanation.] Duffy said the magazine checked [Liar, liar, pants on fire.] with two senior Pentagon officers who confirmed the planting of the virus in the printer, but said it was not known whether the printer ever reached Iraq. [Hoho! That's an interesting way to get off the hook. I'll have to remember it.] --Charles Bowen ------------------------------------------------------------------- AND WE'RE STILL KEEPING AN EYE ON THE WORLD OF CORPORATE STIFFS (OR ANOTHER ONE SOURCE, STRONG BUT VAGUE NEWSPIECE): ------------------------------------------------------------------- BEWARE OF THE INFESTED UNDERGROUND BBS - from LAN Times, Sept. 14, 1992 Virus-authoring toolkits for creating rogue code are working their way into the arsenals of the nation's top computer crackers. The initial distribution point for this new variety of CASE tool is an underground BBS sponsored by a select fraternity of highly intelligent, but socially inept, teens. Some experts fear the toolkits could increase the crackers' productivity exponentially, enabling them to generate viruses far faster than the security industry could detect each new strain and come up with antidotes or vaccines. "The current crop of virus-authoring tools have so far only produced only mediocre viruses, and some don't work at all," said one security expert who has examined the code. "However, some of these fledgling viruses could prove lethal. All the authors would have to do is simply alter one piece of the instruction code." The BBS fraternity is thus far confined to about 25 members, with dozens more "wanna-be's" trying to penetrate the inner circle. To gain acceptance, newcomers must establish their bona fides. First, they get the attention of the ringleaders with a creative login name. This is usually a historical character or an outlandish nickname, such as "Dr. Doom" or "Master Blaster." Next comes the initiation rite. "This usually consists of uploading a new, exotic virus that the crackers haven't seen or heard of," the security expert told LAN Times. If the new guys do indeed upload such a virus, the BBS ringleaders will usually let them download one of the virus writing tools. "The BBS is really the equivalent of a clubhouse or fraternity for these kids," said another source. Electronic bulletin boards are legitimate sources of information accessed by hundreds of thousands of users each day. And, ironically, the legitimate BBSes are often the best sources for the cracker network. There is one BBS in San Francisco whose members are made up almost entirely of security practitioners. Among the files it disseminates is 40HEX, which contains disassemblies of viruses. While the sponsors of this BBS are the good guys, anyone can get access by paying $45 for a membership in the National Computer Security Association (NCSA). The NCSA has about 1,000 members, and all of them - security professionals and crackers alike - can download virus code from the BBS. --L.D. [This story was obviously 'leaked' by some holier-than-thou fink in the anti-virus community who's got a professional axe to grind with the NCSA. Christ, these people will eat themselves if left alone long enough.] **************************************************************************** INCAPABILITIES!! - a new Crypt column discussing plotted weaknesses INCAPABILITIES!! - in current editions of antivirus software. INCAPABILITIES!! - This month's kickoff report by Vesko Bontchev, INCAPABILITIES!! - culled from a Virus Digest/FidoNet transmission. Software pack (the INSUFF/MtE spawning viruses) and additional research by URNST KOUCH. THE MTE, POLYMORPHIC VIRUSES AND SCANNING TECHNOLOGY (OR LACK OF IT) VIRUS-L Digest Thursday, 10 Sep 1992 Volume 5 : Issue 150 Date: 09 Sep 92 19:31:01 +0000 >From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Scanners and polymorphic viruses (PC) Hello, everybody! With the advent of the sophisticated polymorphic viruses like Dark Avenger's Mutating Engine, it is becoming more and more obvious that the scanners have really hard time to detect all infections. I have already posted several times articles about how well (or, more exactly, how bad) the different scanners detect the MtE-based viruses. Several people have asked me why I am testing only MtE detection capabilities, since none of the currently existing MtE-based viruses is intelligent enough to spread widely and to be a significant danger. I am doing this because the MtE is one of the most sophisticated tool for building polymorphic viruses and presents a lot of trouble to the producers of scanning software. Therefore, the inability to detect the MtE-based viruses shows very well how limited the scanners are - the MtE has been available since almost a year, yet only about a dozen scanners achieve at least some success in detecting it. Of them about the half are unable to detect it reliably. However, the MtE-based viruses are not the only polymorphic viruses which present problems to the scanners... I have tested several scanners on a lot of examples of some of the most polymorphic viruses. There is clear need to use a lot of examples, since some scanners are able to detect only one or two instances of some polymorphic viruses - the examples that the producer of the scanner has... I used the following viruses during the tests: Standard CARO name: Number of different mutants generated: /------------------- -------------------------------------- Andryushka.A 46 Emmie 16 Haifa.Haifa 105 Haifa.Motzkin 101 Involuntary.A 8 Involuntary.B 89 Maltese_Amoeba 39 MtE_0_90.Dedicated 96 MtE_0_90.Pogue 98 MtE_0_90.Questo 101 MVF 96 Necros 115 PC-Flu_2 35 Silly_Willy 93 Simulate 29 Slovakia.2_02 81 Slovakia.3_00 57 StarShip 148 Tequila 68 Todor 101 V2Px.V2P1 35 V2Px.V2P2 8 V2Px.V2P6 27 V2Px.V2P6Z 61 WordSwap.1391 3 WordSwap.1495 10 Whale 164 (covering mutants #00 to #33) The following scanners were used during the tests: Scanner: Version: Producer: /-------- -------- --------- FindVirus 4.34 S & S International F-Prot 2.05 FRISK Software VIRUSCAN 95 McAfee Associates HTScan 1.8 Harry Thijssen VirX 2.4 Microcom AntiVir IV 4.04 H+BEDV Anti-Virus+ 4.20.01 IRIS CPAV 1.0 Central Point Software Some comments. You all know the first three products; I used the latest versions available. HTScan is a user-programmable scanner. It depends on a text file, containing wildcard scan strings. Since most polymorphic viruses cannot be detected this way (they need algorithmic approach), I tested another feature of the scanner - the so-called AVR modules. They are loadable at runtime small programs, which are executed by the scanner and are supposed to perform algorithmic detection of those polymorphic viruses, which cannot be detected with simple or even with wildcard scan strings. In this particular version, there are AVR modules for Maltese_Amoeba, MtE-based viruses, and the V2Px.* series. VirX I couldn't test. It does something incredibly stupid - tries to keep the whole report file in memory. Of course, it soon runs out of memory, so not record is kept about what viruses are detected and which are not. I did only a partial test - on the MtE-based viruses only. We have only a very ancient version of CPAV, so the test results for it are not up-to-date. That version tried to detect only V2Px.* and Whale. Unsuccessfully, on the top of that... Here are the results of the tests. Note that when I say that a scanner reliably detects a virus, this holds only for these tests. It does not mean that it will be able to detect all possible instances of the virus; it just means that I have been unable to find an instance that it does not detect. However, when I say that a scanner does not detect a virus reliably, this means that it misses at least one example and I have proven this. FindVirus detected all infected files. However, this result is not very fair towards the other scanners, since Dr. Solomon had access to the infected samples, before submitting that version of the scanner. This was not so with the other anti-virus producers. F-Prot failed to detect at all Necros, Silly_Willy and Todor. It failed to detect reliably Andryushka.A, Whale (mutant #32), and V2Px.V2P6Z (only one example missed). It detected reliably all other viruses. VIRUSCAN does not detect at all Andryushka.A and StarShip. The latter is rather strange, since I have submitted examples of this virus to McAfee Associates months ago. The scanner does not detect reliably MtE_0_90.Questo, MVF, Slovakia.2_02, Slovakia.3_00, V2Px.V2P6Z (only one example missed) and Whale (mutant #33 missed). It also sometimes misidentifies MtE_0_90.Pogue as 7thSon (when the virus is not encrypted), but SCAN is proverbial with its lack of exact identification. It succeeded to detect the other viruses reliably. VirX tested on the MtE-based viruses only still does not recognize those viruses reliably. It missed 12 of the total 292 examples. AntiVir IV (a German anti-virus product) does not detect at all Andryushka.A, Emmie, Haifa.Haifa, Haifa.Motzkin, Involuntary.A, Involuntary.B, MVF, Necros, PC-Flu_2, StarShip and Todor. It failed to identify correctly V2Px.V2P2 (one missed example) and Whale (several mutants). The other viruses were detected reliably - even the MtE-based one, with the exception that the non-encrypted files infected with an MtE-based virus were reported to contain two viruses. HTScan's AVR module for Maltese_Amoeba (IRISH.AVR) doesn't detect the virus reliably. Surprisingly, the collection of wildcard scan strings for the same virus, which is present in the text database, -does- detect this virus reliably. So, my advice to the users of HTScan is to delete the file IRISH.AVR and to rely on the database of signatures. The module for Haifa.Haifa detected reliably all instances of the virus, but didn't detect even one instance of the related virus Haifa.Motzkin. The module which is supposed to detect MtE-based viruses (its version is 2.3) failed to detect the non-encrypted examples, infected with MtE_0_90.Pogue and MtE_0_90.Questo. The module for the V2Px viruses (called "Washburn") detects reliably V2Px.V2P1, but missed one instance of V2Px.V2P2, three instances of V2Px.V2P6 and lots of instances of V2Px.V2P6Z. The Whale virus was detected reliably by the collection of scan strings in the database. Anti-Virus+ does not detect at all Andryushka.A, Emmie, MVF, Necros, Silly_Willy, Necros, Slovakia.2_02, Slovakia.3_00, StarShip, Tequila, Todor, WordSwap.1391 and WordSwap.1485. It did not detect reliably Involuntary.A (in SYS files), MtE_0_90.Dedicated, MtE_0_90.Questo, V2Px.V2P6, V2Px.V2P6Z and Whale (several mutants). The other viruses were detected reliably. The above tests clearly show that most of the current scanners are still unable to cope with the existing polymorphic viruses. Even with such well known viruses like V2P6 and MtE. At least one scanner was unable to detect even Tequila! This virus is quite widespread and can be detected with a few wildcard scan strings (3-4, I believe). And in the near future we'll see more and more polymorphic viruses... If some producer of scanning software thinks that his product is able to show better results but I have missed to test it, s/he is welcome to contact me and provide me a copy of their product (or tell me where to get it, if it is available through anonymous ftp). I am ready to test it and to publish the results, provided that: 1) The scanner is able to run without user intervention. I don't want to be prompted to "press any key" each time a virus is found. 2) The scanner is able to produce a report file. 3) The scanner is able to output in the report file the names of all files being scanned, not only those that it considers to be infected. 4) The scanner is requires a reasonable amount of memory. For instance, Norton Anti-Virus 2.1 refused to run in about 400 Kb free memory. A description how to instruct the scanner to conform to the above requirements (i.e., secret options, etc.) is welcome. Regards, Vesselin Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available on demand. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany -*- Well, now, if only Vesko would clean up his English skills the report would have been damn near perfect. In any case, the report gets right to the heart of this issue's software offering: the INSUFFICIENT MEMORY (or INSUFF/INSUFFERABLE) viruses. If you're a virus collector, you know MtE loaded programs are a hot item. Even though the Engine is a genuine White Elephant (hobbled by incredibly poor documentation), because of judicious media attention and perfect p.r. timing by anti-virus software developers, it remains an object of keen interest to many rather poorly informed individuals. So, for your educational pleasure the Crypt Newsletter has worked up a number of simple MtE-loaded companion viruses, unique if only because no one but us has come up with the stupid idea of using the MtE in a spawning program. In keeping with Vesko's results, these viruses are not detected by the SCAN 95b, CPAV, VIREX or NAV's most recent roll-outs. In regards, to the latter I include a press release from SYMANTEC, for your review: "Our AntiVirus Labs tested the detection capabilities of The Norton AntiVirus v2.1 against the Mutation Engine, which created over 900,000 mutations during our test. The Norton AntiVirus v2.1 detected all 900,000, and will detect them on your system too, before they destroy your data." Here at the Crypt Newsletter we feel fortunate to have gotten those 900,001st, 900,002nd and 900,003rd MtE mutations that NAV 2.1 cannot detect. Ruh-hemmmhmmmm. Perhaps SYMANTEC shouldn't be so hasty in jobbing out these tasks to Gary Watson in the future. [It's an inside joke.] In any case, F-PROT 2.05, tbSCAN (ThunderByte) and AVScan v.097 (beta) (DataTechnik) do detect the MtE variants spawned from the viruses in this issue. tbSCAN, according to its documentation, disassembles the virus on the fly. It's easy to see why developer Frans Veldman may have decided to go this route if you load the INSUFF viruses into a debugger like ZanySoft's ZD86 and 'proc' step through them. (Or if you're ballsy, just 'Go.') It takes only an instant for the virus to 'unspool' in memory; a 'step through' through the MtE decryption key follows a distinct pattern for every 'mutant.' AVScan v. 097 did a nice job on them, too, even correctly identifying encrypted and unencrypted forms. However, only the techies will be using tBSCAN and AVScan. Your average mook lashes himself to SCAN, CPAV, VIRX, or NAV and these programs remain sadly inadequate when engaging 'new' MtE viruses. In our benchtop tests, all four failed to detect any mutants generated by our closely related school of spawning viruses. And that brings the discussion around to "Why SPAWNING, for crying out loud?" We shall tell you. The current edition of CPAV and a number of other no-name retail a-v packages are COMPLETELY vulnerable to penetration by companion viruses even with default resident protection and integrity checking enabled. To understand this, you must recall the spawning viruses don't actually touch your files. Instead, the average spawner goes out at infection time, looks for a target .EXE file and creates a duplicate of itself as a 'companion' .COM file to the targeted .EXE. Then when you call that .EXE, DOS looks around, finds a .COM (the virus) with the same name and loads it instead. Usually, the virus stores itself as a hidden, read-only, system file to elude casual observation and this is what the INSUFF programs do. In bench-top tests, CPAV DID NOT DETECT ANY of our companion virus infections. In fact, it added the 'companion' files to its .CPS integrity listings without a squeak. (CPAV was installed on our test system using the recommended defaults.) In comparison, Stiller Research's INTEGRITY MASTER 1.12 easily followed companion infections on our machine and notified the user with a warning screen which gave proper advice for removal. The Crypt Newsletter reader gets a lesson in simple virus design with the INSUFF programs. Spawning sneaks through a big back door in CPAV, the MtE polymorphic encryption targets many scanners directly. The INSUFF viruses still remain quite simple. The source code supplied will only give you a virus which searches the current directory. INSUFF1, then, illustrates the principle but will hardly get very far - probably not beyond a primary infection (although I never underestimate viruses). It is not even particularly dangerous since it doesn't touch your files and is easily removed by deletion. INSUFF2 is a little more interesting, for the reader impatient with INSUFF1. INSUFF2 will drop the NOIZ Trojan onto .EXE's in the current directory anytime after 4:00 pm. If INSUFF has already created 'companions' for these files, the user may see nothing initially. The NOIZ Trojan does not scan. However, when INSUFF2 is removed or eliminated as a 'companion' for the altered .EXE, the NOIZ Trojan will be unmasked. Calling the .EXE will install NOIZ in RAM where it takes up about 8k and compells the PC to make frequent, strange farting noises until the machine is rebooted. NOIZ will not install itself more than once in RAM, it is a semi-intelligent 'zombie.' Of course, it goes without saying that files altered by the NOIZ Trojan are permanently ruined and must be restored from back-up. The NOIZ trojan hooks a hardware interrupt when it becomes resident. We leave it to the reader as an insignificant academic exercise to find interrupt. Since INSUFF1 and INSUFF2 are 'direct-action' infectors of their current directory, they are FAST. If called on a system they will search and write to the drive in less than a fraction of a second. In most case, the drive light flicker will be analogous to what is seen when an "Unknown command or file name" error is produced. So, when a 'spawn-infected' program misfires because the virus is doing its business, it's quite possible the mystified user will repeat the command once or twice before giving up, putting the viruses well into the directory. [This is exactly the worst thing to do.] If called from a different directory in the path, INSUFF can get out of hand. Keep in mind that if INSUFF2 is on a system and called after 4 in the afternoon many executables may silently suffer 'zombie-fication.' This is frustratingly destructive and difficult to overlook. The newsletter also contains the DEBUG script for INSUFF3. INSUFF3 will jump out of the current directory once it has infected all files in it. This simple directory span increases its potential for fast spread considerably. INSUFF3, like INSUFF2, will trojanize selected .EXE files with the NOIZ 'zombie' in the directory it is called from anytime after 4:00 pm. [If the reader needs the source code for INSUFF2 and INSUFF3, both can be obtained, no-questions-asked, from the DARK COFFIN BBS, listed at the end of this document. Codes are located in the Crypt Newsletter directory in the Files section of the BBS.] Next issue: The poor man's guide to making multi-partite viruses. Maybe. (I tend to change my mind a lot.) ***************************************************************************** KRYPT KONSUMER KORNER (Guide to Term addendum): ZCOMM (Omen Technology) v. HyperACCESS/5 (Hilgraeve) -- ZCOMM, the shareware subset of Chuck Forsberg's Pro-YAM comm tool ain't for everyone. It doesn't beep and boop, it's got no menus to speak of; it is spare, spare, spare in 'looks.' But you, the assertive, manly Crypt newsletter reader don't crave 'looks' now, do you? You want performance - raw, uncompromised power! ZCOMM has it in spades. Enter ZCOMM in DOS. Up comes a command prompt. Type 'call koolwarez' and if you've had the wit to add the number of the KOOLWAREZ BBS to ZCOMM's master script, PHOMAST.T, with a simple ASCI editor, you're gone. (ZCOMM comes with a public domain editor, CSE, very similar in function to Semware's QEdit. CSE is from the Colorado School of Mines. You know they must have real men there!) For transfers, Forsberg gives you X/Y/ZModems in all their flavors, KERMIT, Clink, Telink, MODEM7 and WXModem. If that's not good enough, time to flee to Mars. As for performance, none of the ZModem implementations in the packages reviewed last issue (PCPlus 2.01, Telemate, QModem 5.0, COM-AND 2.8) approached that of ZCOMM. And if you're spying on someone's BBS or just remembered that you want to save something that scrolled by 5 minutes ago, ZCOMM will save your butt. Toggle its capture file and ZCOMM will write everything to disk from its ridiculously oversized scrollback buffer. Scrutinize a hex/ASCI dump of that raw virus you just downloaded with ZCOMM's display command! ZCOMM will remove noxious ESC sequences from screen captures polluted by the work of brain-damaged FelonyNet ANSI-artists, too, thus saving you and your printer much grief. Forget these features with ANY OTHER PACKAGE! In truth, though, many will not feel up to the ZCOMM/Pro-YAM challenge. These users will be easily befuddled by ZCOMM's UNIX-like instruction set and look. They will be bullied into submission by ZCOMM's stark command line and nettled at the prospect of doing all configuration from the master script with nothing but a text editor and a meager amount of cerebrum as safety nets. They will crash and curse ZCOMM's author savagely when attempting as simple a task as logging on to a "local" pd BBS. (Of course, The Crypt Newsletter reader is no such craven swine.) But such is the ZCOMM/Pro-YAM price of excellence. Another program vieing for dominance with ZCOMM/Pro-YAM in the brute power category is Hilgraeve's HyperACCESS/5 3.0. It is of interest here at the Crypt because it's the first instance of a comm program which incorporates virus scanning in its file transfer suite. That said, we did an off the cuff evaluation of HyperACCESS's anti- virus ability. The program will unpack .ZIPfiles on the fly and scan executables archived within them or scan your system as a stand-alone. A quick test revealed HyperACCESS could detect common viruses; in fact, it was rather efficient at picking up STONED 'droppers', JERUSALEM strains, numerous wearisome BURGER perversions and even the odd image file of a TELEFONICA boot infector. On the other hand, the scanner was sacked repeatedly the common MtE viruses as well as all Crypt newsletter formulations. It did not detect MALTESE AMOEBA, STARSHIP, COMMANDER BOMBER, SUOMI (eh?) or any VCL or PS-MPC creations or derivatives. Our consumer advice: you won't be buying HyperACCESS as an a-v scanner anytime soon. This simple a-v utility does suggest itself for one virus-hunting use. It might be a nice exercise to enable HyperACCESS's 'unzip-on-the- fly' option when downloading new virus samples from boards you suspect of having nothing but BURGER, VIENNA and AMSTRAD hacks. HyperACCESS can flag such archives as they arrive on your end, name the virus, and log the results to a file for later browsing. Then you have a nice report verifying the 'quality' of the audited Vx BBS. But even if we overlook its a-v features, HyperACCESS offers many handy utilities thought to be almost exclusively the domain of ZCOMM. It's got a fast, efficient file manager and its DOS gateway is supremely efficient. The capture buffer is generous and looks deep into the scrollback if you ask nice. HyperACCESS includes an extravagant text editor every bit the equal of QEdit with only a rather crippled spell-checker to mar the picture. (The first time I used it on the Crypt newsletter it crashed when confronted by all the 50-buck words.) In contrast to ZCOMM, HyperACCESS has been designed with an eye to luring away the average ProComm cripple from his favorite software. It will convert PCPlus 2.01 .FON directories for its own use although its documentation sneers at the 'look and feel' of the Datastorm product. HyperACCESS/5 can also be used by point-and-shoot premature ejaculators and has slippery-looking sliding menus and terminal screens which even I enjoyed in a corrupt sort of way. But Hilgraeve knows its limitations, too. While its ZModem implementation is adequate, HA/5 includes two macros for utilizing Omen's DSZ program as an instant drop-in. No figuring out stupid external batch files, hey, hey! On my disk, it's a toss-up between HyperACCESS/5 and ZCOMM/Pro-YAM. --------------------- ZCOMM 17.96 is $45 cash money shareware from Omen Technology. That's good for a diskette containing the ZCOMM programs and a daunting manual written in a style opaque to anyone even close to being a lip-reader. The unregistered ZCOMM is downloadable from just about everywhere, but I found it in the COMM Programs software library in CSERVE's IBMCOMM special interest group. (Type 'Go: IBMCOMM'). Hilgraeve's HyperACCESS/5 v. 3.0 is retail only, for a short time available at $49.95, not including shipping and handling. You can reach Hilgraeve at: 1-800-826-2760. ***************************************************************************** -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- THE READING ROOM: BOOKS OF INTEREST TO THE VIRUS COMMUNITY "Artificial Life" by Steven Levy (Pantheon) "Computer viruses, then, stand on the cusp of life - and soon will cross over." - Steven Levy in "AL" And here in Central Schnookville, PA, gravity drops to zero come noon and all the corporate stiffs lunching on the village common float through the air plucking startled birds out of the sky with their bare hands. A good portion of "Artifical Life" has Levy expounding that computer viruses fill what is known as the "strong claim" toward artificial life. It is the very essence of neo-intellectual flatus - the kind of prose that makes the ocassional reading of Scientific American such an unpleasant experience. Levy comes up with interesting descriptive jargon for viruses, too. "Add-on" which I suppose means "appending"; "shell" for God knows what. The "diabolical" Brain virus comes in for special attention; it hides a portion of itself in clusters marked "BAD," "a cluster stretches over 2 sectors of a 9 sector disk," writes Levy. (Hmmmm. Doesn't leave too much room for anything else, does it?) Plenty of minor stupid technical errors of this nature pepper Levy's book. Of course, they've flown by any number of dumbbell editors in the publishing business and they'll repeat the job on almost anyone who reads this book. But don't think that because no one will know, somehow it's right. It's not and, unfortuately, its typical of the modern 'science' journalist who thinks that simply by interviewing experts like Fred Cohen for three hours, he can magically obtain understanding. The skeptical Crypt newsletter reader will find "Artificial Life" is total crap. However, he may be amused by quotes like: "Machines, being a form of life, are in competition with carbon-based life. Machines will make carbon-based life extinct." (page 336) or "A rock would certainly be low on any continuum of aliveness . . ." (page 6). or "Steven Levy needs help finding his ass with both hands." (Oops, how'd that get in here???) Levy's previous work includes "Hackers," but "AL" WILL only be enjoyed by those who like the concept of "edu-tainment" or think that a library full of comic books, cyberpunk novels and cuttings from OMNI magazine constitute a national resource. The Crypt Newsletter gives "Artificial Life" a solid thumbs down! "ACCIDENTAL EMPIRES" by Robert X. Cringely (Addison-Wesley paperback) After wincing your way through "AL" you may want to head out to the local mall and pop for Cringely's worldview/thumbnail history of American computerland, now in paperback. Guaranteed, you'll be on the floor inside the first six pages when you read "Hate group number three . . . will just hate [this] book because somewhere I write that object- oriented programming was invented in Norway in 1967, when they know it was invented in BERGEN, Norway, on a rainy afternoon in late 1966. I never have been able to please these folks, who are mainly programmers and engineers, but I take some consolation in knowing that there are only a couple hundred thousand of them." Recognize the type? Yup, Robert, we see 'em every day here at the newsletter, too. Fuck 'em. The shrewd Crypt newsletter reader will guess that we give "Accidental Empires" a solid thumbs up! *********************************************************************** *********************************************************************** Crypt Newsletter Software: Additional documentation, lamentation and user notes for the terminally stupid. Why? Because we care! 