The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 6 Issue 49

Sunday 27 March 1988

Contents

o Risks of loss of privacy from stolen computer
PGN
o Things that go POOF! in the night
PGN
o Virtuous Virus Language
Vin McLellan
o Batch Viruses
Brian M. Clapper
o Atari ST Virus
Chris Allen via Martin Minow
o Rhine floods Communication link; Nightmare Virus Construction Set; CCC hackers revenge threat
Klaus Brunnstein
o The Anti-Virus Business, or, This Generation's Snake-Oil?
TMP Lee
o Info on RISKS (comp.risks)

Risks of loss of privacy from stolen computer

Peter G. Neumann <NEUMANN@csl.sri.com>
Fri 25 Mar 88 09:51:03-PST
A thief made off with a $9,000 computer and printer from an office in Walnut
Creek CA, and discovered that his victim (Beth Savano) was a tax preparer.
In a remarkable display of good will, he returned to her 20 floppy disks
containing 150 tax returns that had been stored on the original hard disks.
However, he kept the original hard disk.


Things that go POOF! in the night

Peter G. Neumann <NEUMANN@csl.sri.com>
Fri 25 Mar 88 10:01:24-PST
The latest technology in check frauds is the use of a chemical that causes
the checks to disintegrate shortly after being deposited.  Such checks 
have turned up at banks in the Chicago area and in Tennessee, and were
drawn on accounts in California and Tennessee.  Typically a new account was
opened, the bogus check was deposited, and then a withdrawal was made before
the bogus check could bounce.

There are of course some comparable techniques in computer systems, using
Trojan horses, time bombs, etc., for data or a program to alter its own state.


Virtuous Virus Language

"Vin McLellan" <SIDNEY.G.VIN%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Thu 24 Mar 88 03:33:20-EST
All of us with a taste for technical history doubtless enjoyed Kevin Driscoll's
charming recollection (Risks 6.48) of a 20 year old memory-crunching parasite
in COMMON code he labelled a virus. What he described, however, sounds like
what the Apple II community in the early '80s widely circulated and described
as "worm" code. The Apple worms, like Dirscoll's code-critter, were simply
memory crunchers who rewrote themselves successively through the memory
(although some had neat graphics of the worm nibbling up the screen and off
into memory.) The Apple worms were, despite an identical name, quite different
from the "worm" created by Huff et al at Xerox Corporation in 1980; and
everything falls far short of the fictional "worm" described by the novelist
John Brunner in a 1975 novel.

Anyone with a report of an virus that was an actual ancestor to Fred Cohen's
1984 creation at USC -- christened "virus" by Ken Adeleman of RSA fame, one of
Cohen's mentors at USC -- could make a welcome addition to the literature by
describing it. (Cohen's creation was first described at a 1985 IFIPS conference
in Toronto.) Several reports of the NSA's reaction to Cohen's paper clearly
indicate that this was a new threat to the Fort Meade spooks who guard the US
government's most secure systems, but there may have been prior art unreported
somewhere.

I haven't yet heard any such tale. I have, however, received many calls from
journalists who have been told by respected computer security mavens that this
is a decades-old problem. A lot of people who should know better seem to
believe, like Driscoll, that any self-replicating program that moves itself to
a new location in memory is a "virus." Obviously few have read Cohen. The
widely-described IBM "virus" in VNET and Bitnet last December was not, for
instance, a "virus."

Let's get it straight, folks! A virus is defined by its capability for epidemic
contagion. It's a parasite program that attaches itself to another program,
effectively turning its victim into a "torjan" which, when executed, seeks out
a particular, targeted, pattern of code in any available potential victims
(programs) to attach a copy of itself ("infect" them) and make them too
"carriers." The virus is merely a medium for contagion; its undeclared mission
or task is in other code piggybacked upon it. (Cohen's formal description also
emphasizes that a virus can be designed to evolve -- change its form or target
-- over generations.)

The damn things are going to be with us for a long time, and it would be nice
not to lose control of the language as we did with "worms."  Anyone got any
*relevant* ancient history?

Vin McLellan        The Privacy Guild       (617) 426-2487


Batch Viruses

Brian M. Clapper <clapper@NADC.ARPA>
Thu, 24 Mar 88 09:28:05 EST
Kevin Driscoll's COMMON Code commentaries in RISKS 6.48 reminded me of
a simple and particularly nasty program I encountered while still in
college.  It consisted of 3 lines of FORTRAN:

    10 PRINT 1000
           GOTO 10
      1000 FORMAT ('+', 132*'-')

For those who may not remember, in FORTRAN, a '+' in the first column
is carriage control for an overstrike.  This small program continually
overstrikes 132 dashes on a line printer.  Needless to say, if it runs
long enough, it can do a fair amount of damage.  I was amazed at its
simplicity.  I made the mistake of mentioning it to a supposedly
trustworthy fellow student, one who I thought would share my amaze-
ment.  He did share the amazement, but he took the matter one step
further:  He typed it in, submitted a batch job to run it, and directed
the output to a high-speed line printer.  When he specified the printer
id, he made an error, and the output was sent to an unsupervised line
printer in the staff area of the computer center rather than to a
normal, operator-supervised line printer.  The job ran for quite
awhile, and caused untold dollars of damage to the printer.

Obviously, there should have been no way for a student to send any job
to an unsupervised line printer.  Had he sent it to one of the
standard, operator-supervised line printers, one of the operators would
have killed the job soon after it started printing. (Repeated
overstriking on a high-impact line printer has a very distinct sound.
Further, the operators were known to kill jobs which printed out those
fun computer posters we all liked so much in college.)  Still, I
remember thinking at the time that this type of malicious behavior can
be extremely difficult to prevent.  Even the CPU-time restrictions
placed on the typical student job were insufficient, since this program
can do quite a bit of harm in a very short time.  (And it did.)

As I recall, the student was caught.  His punishment was much less
severe than I would have thought.  I think he was denied further access
to the computer building for a few months and had his account taken
away.  The day after the incident, he told me about it in class.  He
was really indignant that the computer center staff had taken away his
account.

Brian M. Clapper, Naval Air Development Center, Warminster, PA


Atari ST Virus

Martin Minow THUNDR::MINOW ML3-5/U26 223-9922 <minow%thundr.DEC@decwrl.dec.com>
26 Mar 88 20:48
I've attached a long article on an Atari ST virus program, taken from Usenet,
adding a few comments (* in column 1) explaining Atari-specific terms.
Now, all of the popular personal computers have been attacked by viruses.
(It's probably not worth posting as-is to Risks, but you might want to stuff it
in your archives and post a summary.)

Martin.

Newsgroups: comp.sys.atari.st
Path: decwrl!labrea!agate!pasteur!ames!nrl-cmf!mailrus!umix!uunet!mcvax!ukc!reading!onion!minster!SoftEng!john
Subject: The Atari ST `virus'
Posted: 22 Mar 88 15:26:48 GMT
Organization: Department of Computer Science, University of York, England

I'm posting this for someone who does not have Usenet access.

            THE ATARI ST VIRUS
        ==================

This weekend I received a number of pd software disks from a computer store.
I found that three of these contained the 'ST Virus' that has been 
mentioned on the net recently. I did not however discover this until it
had trashed one disk and infected a very large number of disks.
    I have since disassembled the virus and worked out exactly what it
does and I am posting a summary of what I found here.

What The Virus Does
===================

When the ST is reset or switched on, it reads some information from track 0
sector 0 of the disk in drive A. It is possible to set up that sector so 
that the ST will execute its contents. The virus program is written into
this sector so that it is loaded whenever the ST is booted on the offending
disk. 
    Once loaded into memory the virus locates itself at the end of the 
system disk buffer (address contained at 0x4c2 I think) and attaches itself
to the bios getbpb() function. 
*
* getbpb() returns the operating system parameter block for a disk device.
*

    Every time getbpb() is called, the virus is activated. It tests the
disk to see if it contains the virus. If it doesn't then the virus is 
written out to the boot sector and a counter is initialised. 
    If the disk does contain the virus then the counter is incremented.
Once the counter reaches a certain value, random data is written across the
root directory & fat tables for the disk thus making it unusable. The virus
then removes itself from the boot sector of the damaged disk (destroys the
evidence??).
*
* The "fat table" contains the bitmap of unused sectors.
*

NOTES
=====

Once the virus is installed in the ST it will copy itself to EVERY non write
protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - or open a
window to it from the desktop.

The virus CANNOT copy itself to a write-protected disk.

I *think* (but am not certain) that it survives a reset.

The current virus does not affect hard disks (it uses the flopwr() call).
*
* flopwr() writes a sector on a floppy disk (drives A or B).
*
However, if you are using an auto-boot hard disk such as Supra, and the disk
in drive A contains the virus, THE FLOPPY BOOT SECTOR IS EXECUTED BEFORE THE
HARD DISK BOOT SECTOR and consequently the virus will  still be loaded and
transferred to every floppy that you use.

THE CURE
========

 To test for the virus, look at sector 0 of a floppy with a disk editor.
If the boot sector is executable then it will contain 60 hex as its first 
byte. Note that a number of games have executable boot sectors as part of their
loading. However if this is the case then they should not load when infected
by the virus.

If people are worried about this & haven't been able to get the other killer
(I have not seen it yet) then I will post the source/object for a simple
virus detector/killer that I have written.

OTHER VIRUSES
=============

It would appear that this virus is not the end of the story. I have heard
that there is a new virus around. This one is almost impossible to detect
as for each disk inserted, it scans for any *.prg and appends itself to the 
text segment in some way. Thus it is very difficult to tell whether or not
the virus is actually on a disk.....

FINALLY
=======

Use those write-protect tabs!
Check all new disks!
Hopefully we can get rid of this virus totally before it damages something
important.

    Chris Allen.

If you want any information, etc etc mail me at:

Janet:  CJA1@uk.ac.york.vaxa
uucp:   ...!uunet!mcvax!ukc!minster!CJA1@VAXA
arpa:   CJA1%vaxa.york.ac.uk@mss.cs.ucl.ac.uk


RISK FORUM: 1. Rhine floods Communication link

Klaus Brunnstein <brunnstein%rz.informatik.uni-hamburg.dbp.de@RELAY.CS.NET>
March 24, 1988
                     2. Nightmare Virus Construction Set
                     3. CCC hackers revenge threat
Organisation: University of Hamburg, FRG, Faculty for Informatics

1. DATEX-P based international computer communication 2 days
   out-of-operation due to Rhine flood:

Access from some West German computers to several networks broke down for 2
days when the Rhine river overflooded its banks after heavy rain falls and
sudden snow smelting. The flood damaged the DATEX-P network of German Post
(dbp) at Bonn.  According to Hamburg protocols, the central node XPS.GMD.DBP
was unavailable since March 22, 8.55 (first error message, after last
successful transfer on March 21 at 7.10 pm) and the first sucessful transfer on
March 23 at 7.22 pm; officially, the network was declared available on March 24
at 2 am.  Most German universities and research institutes use this node
XPS.GMD.DBP (via their connection to GMD's central distribution computer)
exclusively for communication with EDU, COM and other networks.  During the
breakdown, only EARN and BITNET communication was available for `some time
period' (duration unspecified). Receipt of RISK-FORUM editions and this message
has also been delayed.


2. `Nightmare Software' and the CeBIT Hannover Fair:

Many discussions at the Hannover Fair, labelled "Center for Bureau and
Information Technologies" (CeBIT), held in Hannover, FR Germany this year on
March 16-23 and said to be the world's largest fair in Information and
Communication Technologies, were about Computer-related Risks.  A special
section had been devoted to "Secure Computer Centers", demonstrating building
security measures (TV-cameras, access control with chip cards etc) as well as
some ACF software on PC.  Some enterprises and the German computer trader
COMPAREX exhibited `warm' and `cold' backup computer concepts, and some
publications informed on `Vulnerability of Information Economy' (including an
article of this author, in the German edition of `Computerweek', which is
available by e-mail, on demand, to interested people).

After some (often badly informed) articles on `Viruses' in public newsmedia
(where the `Israel Virus' of Hebrew University was reported to spread over
international computer networks), many people share the fear of `computer
illnesses'.  One respected German newspaper (FAZ=Frankfurter Allgemeine
Zeitung, which often represents official positions) published in its
CeBIT-report (March 21st, p.17) a contribution on a program, defined as `Virus
Construction Set', named `Nightmare Software', which may be used to construct
as well as to detect and delete viruses. The paper writes:

  `People offering the Virus Construction Set are themselves aware that they
  `play with the fire'.  Program and documentation is only allowed to be given
  to people older than 18 years, and any liability is strictly denied. People
  buying the software must also know that application of the `Nightmare
  Program' is punishable, with up to 5 years in prison. On the other hand, the
  software traders hope that the knowledge of the `Virus danger' may prevent
  the respective damage.'

Though a growing public awareness about `Vulnerability of Information
Society/Economy' should generally be welcomed, the last paragraph of the
respective article may produce a new mysticism which may even worsen public
awareness. After some sentences on Viruses, their detection and combat
(compared how to fight anthrax), the final paragraph follows:

  `Somehow, the use of medical vocabulary in the context of prosaic computer
  programs has a `human touch'. The `ordinary citizen' may think that a
  computer may become as ill as a living body. Moreover: one can defend oneself
  and fight the infection. On the other side one could say that here, Devil is
  expelled with Beelzebub.'

After past comparisons of computers and human brain (which is the unfortunate
inheritance of pioneers like Alan Turing and John von Neumann), unadequate
biological analogies (Viruses) may bring up another mysticism which may
prevent rational analysis of risks embedded in elementary computer concepts
as well as in ill-analysed application packages.


3. Revenge Threat of German Hackers:

After the imprisonment of a leading member of Computer Chaos Club (CCC) in
Paris, some German hackers may plan `revenge activities'. `Der SPIEGEL',
often well informed, cites a Munich hacker: `when I become really angry,
nothing may prevent me from heavily confusing their systems' (Der Spiegel,
Nr.12, March 21, p.109-111). It seems wise to accurately monitor the access
patterns of network-accessible installations.

As reported in RISK 6.44, one of the chairmen of (Hamburg-based) CCC, Mr.
Steffen Wernery, has been arrested by French police when arriving at Charles
de Gaulle airport for a discussion with Philips officials and a subsequent
lecture on `the NASA hack' at SECURICOM. In the meantime, the German Criminal
Office (Bundes-Kriminal-Amt, BKA), charged with prosecuting possible German
participants in the invasion of computers at NASA, CERN and Philips France,
said that CCC officials have not participated in the NASA coup. Evidently,
the French police had not been informed about this result.

The work of CCC is heavily influenced by consequences of the arrest,
including heavy differences among CCC officials.  Hamburg newspapers report
that all CCC money has been spent in extensive, uncoodinated telephone calls
between Hamburg and Paris.  Moreover, the remaining chairpersons denied Mr.
Wernery's wish to sell the story of his arrest for exclusive publication for
a high enough prize to cover his defence expenses: while his approach was
denied by Hamburg CCC managers, financial problems of Mr. Wernery and the CCC
are unsolved.


Klaus Brunnstein, University of Hamburg, Faculty for Informatics


The Anti-Virus Business, or, This Generation's Snake-Oil?

<TMPLee@DOCKMASTER.ARPA>
Thu, 24 Mar 88 11:41 EST
From  the  24  March  1988  Minneapolis  Star  Tribune,  front  page of the
business section:

COMPUTER 'VIRUSES' CREATING ENTREPRENEURIAL OPPORTUNITY

Steve Gross [Technology editor]

Computer  'viruses'  are  creating  an  opportunity  for  firms marketing a
remedy in the form of anti-virus software.

A virus  is a tiny piece of software designed by a programmer who typically
seeks  to  damage  someone's  computer  data, usually at some predetermined
future  date.  Often the virus is planted in free computer programs offered
on  national  computer  bulletin  boards available to anyone whose personal
computer can receive data by telephone.

Once the  'infected' program is received from the bulletin board, its virus
begins to  replicate itself  like a biological virus.  Each duplicate virus
infects other  programs and  data stored  on the computer's floppy and hard
disks, erasing  all or  part of  the infected  material when the computer's
internal  clock  reaches  the  predetermined  set-off date.  If people have
made  back-up  copies  of  their  programs  and files, those disks also are
infected and will undergo the same disaster when used.

Viruses  have gotten  a lot  of publicity  lately.  Three weeks ago the New
York Times  reported that  computer viruses could become "a science-fiction
nightmare come  to life"  as they move unseen from one personal computer to
another across  telephone lines or within office computer networks.  In the
past few  months, people who run computer bulletin boards, corporations and
even  the  government  of  Israel  have  reported  viruses  infecting their
software.

"The biggest  source (of viruses) has been contaminated files from computer
bulletin  boards,"  said  David  Buerger, director of the Personal Computer
Center at  Santa Clara University in California, in an interview this week.
In addition,  some university students "have been infecting software in the
computer labs."

These  infections  represent  "a  real  opportunity"  for companies writing
anti-virus  software,  Buerger  said.   While the anti-virus programs can't
eliminate all  infections, they can force virus-writers "to be more clever.
They'll have to invest more time and effort.

"It's like  locking the  car when  you park  in a  high-crime district.  It
will stop  the kids  and the ones who want to take a joy ride.  But if it's
a professional thief .. the best system won't keep him out of he car."

Lloyd Tabb,  a software  writer for Sophco Inc., in Boulder, Colo. said his
firm markets  Protec, a $195 virus-detection program that includes features
called  Syringe  and  Canary.    Syringe  injects  a  harmless virus into a
program that  checks to  make sure  no harmful viruses are present.  Canary

is a  program that  waits for  a virus  and stops functioning if it becomes
infected, much  like the  real canaries  carried by old-time miners to warn
them of poisonous gases.

Ron  Sturtevant-Stuart,  president  of  Asky,  Inc.,  a  software  firm  in
Milpitas,  Calif.,  said  his  Softlog  program matches the current size of
computer  files  against  their  previous  size  to check for viruses.  The
program is licensed to corporations in lots of 100 units for $2,400.

Eric  Hansen,  a  vice  president  of  Fridley-based [a Minneapolis suburb]
Digital  Dispatch Inc.,  has been quoted in the New York Times and computer
industry trade  publications as  a result of the firm's $199 Data Physician
program, which detects and in some cases eliminates viruses.

Hansen said  viruses have  been talked  about for years, but are becoming a
problem now  because "there  are a  lot more  personal computers out there.
As  more  computers  move  into  more  people's hands, more persons of evil
intent are  going to have computer skills.  It really only takes one person
nationwide writing  one of  these things  and plunking  it up on a bulletin
board to cause enormous havoc."

The Data  Physician program, which has been marketed for three years, makes
careful measurements  of a computer's programs and data files to detect any
"alien" computer  codes, he  said.  One portion of the program, called Data
MD, creates  a list  of computer  data files  to be  protected, and watches
them  while  the  computer  is  in  operation.  Another part called Antigen
attaches  itself  to  an  individual  computer  program  and  checks it for
viruses each  time it is used.  To remove a virus, Antigen erases the bytes
of  computer  data  that  weren't  in  a program earlier, he said.  A third
portion  of  the  program,  called  Padlock,  prevents  anything from being
written  on a  storage disk unless the computer operator pushes a button to
give permission.

However,  Hansen  said,  "there  is  a  way  around absolutely everything."
Viruses  can  be  tailored  to  escape  detection  by  specific  anti-virus
program's  he said.   To prevent that, "you have to continually change your
product so  a virus  can't go  after it."   His  firm is  already trying to
develop a  foolproof version of Data Physician that couldn't be disabled by
a virus before the program had a chance to act, he said.

However,  anti-virus  software  makers  have  one advantage in the war with
virus inventors:  viruses can't be made too complicated.

For  example, a virus that could evade several types of anti-virus programs
would have  to consist  of a  longer and  more elaborate  piece of computer
code than  a non-evasive  virus, Hansen  said.   But, he added, "if you put
enough intelligence  into a  virus to beat every protection scheme, it will
get too fat and slow and be detected."

Please report problems with the web pages to the maintainer

Top