COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas 30/01/95 FidoNet 5:7102/119 TopNet 225:2048/1 InterNet iandoug@cybernet.za (changing soon) =================================================================== Major story this month (ok, maybe not THAT major) was the attempt by Unisys Corporation to enforce its alleged patent rights to the compression system in the popular .GIF (Graphic Interchange Format) graphic format. Unisys wants developers of new software that can read or write the format to pay it royalties. The Internet uproared. (new South African English.) The algorithm in question, LZW (Lempel-Zev-Welch, after the three developers), has been published all over and implemented in numerous languages. Compuserve recently licenced the technology from Unisys, even though the Compuserve .GIF format has been using it for over seven years. Telegrafix Communications (developers of the .RIP BBS graphics system) have since announced a new .GEF (Graphics Exchange Format) which uses the open standard LZHUF (Lempel-Zev-Huffman) compression scheme, while still sticking to .GIF specifications. Telegrafix is prepared to release the new format into the public domain, if Compuserve agrees. This should solve the licencing problem. There were messages on the internet questioning Unisys' patent rights, and claiming that the algorithm was actually developed by IBM. =================================================================== Snippets from the press: If you push the right three-key sequence on a Packard Bell 486, which has a Phoenix Rom-BIOS Plus, v 1.10, you will apparently 'nuke' the BIOS, killing the machine dead (sounds like an insecticide commercial :-) ). Beware of cheap Intel motherboards using the Saturn 486 PCI/ISA/VESA chip set. These motherboards freak out with bus-mastering controllers. (No, I don't know what that means.) The interrupts don't function properly, creating problems with Novell Netware and IBM's OS/2. The chip numbers are 82378, 82423, and 82424. Intel has discontinued the range and replaced it with the new Ares chip set. You must pay if you want the bug-fix versions... The Yanks raided another BBS suspected of distributing pirated software, including Novell Netware and betas of Windows 95. The Cloud 9 BBS had 22 GB of data available. The BSA estimates that in the USA, 35% of all business software in use is pirated. Microsoft has offered a reward of US$10 000 for information leading to the arrest of the pirates who spread the Windows 95 betas via the internet. Meanwhile Windows 95 has been delayed until August or September.... While pirate BBS's and internet sites make the headlines, the REAL problems are in the corporate jungle - where many businesses buy one copy and install it on all their machines. In SA, the BSA obtained an Anton Pillar order against a JSE-listed company, after a tip-off from a former employee. This allowed the sheriffs to search 200 PC's in the company for illegal copies of Lotus and Microsoft programs. It appears that an out-of-court settlement was soon underway. Some crackers managed to misuse Apple's free phone information line, and access BBS's and pornographic chat lines around the world. The system was not run by Apple, but by a third party. Research by UCT indicates that SA companies have a 1 in three chance of falling victim to computer abuse (including fraud, cracking, sabotage, and viruses). This compares to the UK's one in four chance, and the Netherlands' one in five. The US Department of Labour recently ordered all games to be wiped from PC's in their department. Sear-Roebuck, Intel, and Microsoft are said to be following suit and banning games from work PC's. Several members of America Online, a dial-up service in the USA, have had their accounts suspended after allegations of trafficking in child pornography on the system. =================================================================== Some messages of interest.... (trust the authors will not mind) From : Ian Douglas 5:7102/119 13 Jan 95 18:18:00 To : All Subj : trojan uploaded ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hi All! A trojan was uploaded to a BBS here in Cape Town. The archive is as follows: Searching ZIP: RA_RIPER.ZIP - [bbs logo deleted in case they are innocent] Length Method Size Ratio Date Time CRC-32 Attr Name ------ ------ ----- ----- ---- ---- -------- ---- ---- 95 DeflatN 91 5% 03-01-95 23:37 05eb5edf --w- FILE_ID.DIZ 1287 DeflatN 1081 17% 03-01-95 23:34 307f5373 --w- RA_RIPER.COM 32768 DeflatN 7243 78% 12-05-93 07:00 9ad8c23a --w- RIPER.DAT ------ ------ --- ------- 34150 8415 76% 3 The file_id.diz: Ripper v0.69 Rip Editor for Remote Access Convert ANSI to High Res RIP Sets up in Minutes This trojan appears to be a .bat file which has been compiled. It prints the first 2 lines above, then sets up a temporary file T^M^P^_$2.!!! into which it puts a "y". It then searches the current dir, and every dir on the path, for format.com, format.exe, and format.bat. If not found, it prints an error message and exits. If found, I assume it would do something like echo y|format c: /u, as the format c: /u part is visible as text in the .com file. Regret was not able to test this properly, tried giving it a fake format.bat and then a fake format.com, program gave errors and ended. The uploader of course raved to the sysop about how wonderful this program was... The .dat file has no executable code, must be a pretty screen or something. Tried TYPEing it, nothing recognisable.. From : Gary Snyder 1:301/36 10 Jan 95 18:22:00 To : All Subj : McAfee's SCAN 2.+ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ I've found a "bug" with versions 2.x and up, most noticeably with 2.1.3 and 2.1.4. On SOME computers, it will falsely detect a virus. Running SCAN multiple times will result in a different virus found each time. McAfee engineers are trying to figure this one out as I write this message. They are starting to believe that this "anomaly" is BIOS related. If you have one of these computers, call David Perry at McAfee. His number is 1-408-980-3670. Tell him that you have one of these "anomalous" computers. He will offer to have you FedEx it to McAfee AT THEIR EXPENSE, so they can figure out this problem. I would perform a COMPLETE backup of your system before having it sent to McAfee though. From : Graeme Slogrove 5:7107/9 16 Jan 95 21:20:00 To : Clive Jones Subj : Crooks and things ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hello Clive! 08 Jan 95 19:59, Clive Jones wrote to All: CJ> Please be aware that the following names are being used in CJ> fraudulent credit card transactions and I believe that the person CJ> or persons are also using illegal software. [whoops - must have wiped the names by mistake :-( . Ian] And anyone using the name JULIO ROODT is also using an illegal credit card number (calculates as valid via MOD 10 routines) to attempt to subscribe to boards. Anyone having this guy do it, please contact me. Cheers! Graeme * Origin: Fast! BBS, Sandton, RSA [011-706-1749] * Anti-Virus * (5:7107/9) Date: Wed, 4 Jan 95 16:20:32 WET From: Fridrik Skulason Subject: ZONK ? Has anyone ever heard of this ? [name of company deleted] has a machine on which every single file is named ZONK.WAV. The files seem to be intact, just renamed. A trojan, maybe ? -frisk Date: Fri, 6 Jan 95 17:35:41 WET From: Fridrik Skulason Subject: Viruses via WWW The WWW virus site on http://www.cs.umr.edu/~rziegler/virus.html has now been shut down by the university administrators. The student had absolutely no permission to do what he had been doing. -frisk =================================================================== The flack surrounding Intel's debacle with the Pentium has started to subside. In case you were wondering how to check if YOURS is ok, here is a formula: 4195835 - ((4195835 / 3145727) * 3145727) Should be 0. The flawed pentiums will yield 256. And not to be outdone, Microsoft has admitted that there is a bug in the calculator that comes with Windows. Try 750.35 - 750.3 or even 5.01 - 5. =================================================================== Current versions of popular anti-virus software in SA: McAfee: v 2.1.4e America F-Prot: v 2.16 Iceland ThunderByte: v 6.31 Netherlands AVP: v 2.1 Russia Dr Web: v 2.0 Russia Oliver Steudler of Dynamic Solutions reports cases of Exe_Bug, what looks like a new version of Bravo, and what appears to be some trojans. The trojans do nasty things to your hard disk and display right-wing propaganda. Mitch Dove of Gas Software, Johannesburg reports cases of Exe_Bug.F, Exe_Bug, Michelangelo, Bravo, Exe_Bug.Hooker, and Parity_Boot.B Geoff Budge has left BSS, Cape Town. Virus problems are now handled by their office in Johannesburg. There were press reports of Lixi, a MBR infector from the UK, and Hidenowt. There was also a report from a SA distributor of a foreign anti-virus product, which had him stating that stealth and polymorphic viruses appeared in 1993 for the first time. Hoo boy. I hope he has caught up by now, these types of viruses are much older than that. He also claimed that users swopping public domain games are a major vector for the spread of viruses. =================================================================== Only scanner test I have this month is rather old - but it was run on a relatively large 'zoo'. Note the version numbers. ANTI-VIRUS SCANNER TEST NOTES AND SUMMARY ... 20 August 1994 ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ "Integrity checking" was not included in the tests. Each scanner was run in "first-time used" configuration. The test subdirectories contain a raw collection of 4941 virus-infected files and trojans from the German virus research group, VirusTeknik. ÉÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÑÍÍÍÍÍÍ» º # ³ Company ³ Product ³Version ³Time ³Ratingº ÇÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÅÄÄÄÄÄĶ º 1 ³ESaSS-Thunderbyte ³TbScan ³ 6.23a ³ 1:12 ³99.9% º º 2 ³Frisk Software ³F-Prot ³ 2.13 ³ 3:23 ³91.1% º º 3 ³KAMI Corp ³AV Pro ³ 2.00 ³12:55 ³89.3% º º 4 ³H+BEDV GmbH ³AVScan ³ 1.66 ³ 5:31 ³85.4% º º 5 ³Stiller Research ³I-Master ³ 2.22a ³ 2:28 ³84.2% º º 6 ³McAfee Associates ³Scan ³ 2.10 ³ 4:04 ³81.0% º º 7 ³Datawatch Corp ³Virex ³ 2.94 ³ 6:26 ³78.4% º º 8 ³McAfee Associates ³Scan ³ 1.17 ³ 8:19 ³78.4% º º 9 ³Cybec ³VET ³ 7.711 ³ 2:49 ³78.3% º º 10 ³Dr Solomon's S&S ³FindVirus ³ 6.55 ³ 4:04 ³73.0% º º 11 ³Symantec ³Norton AV ³ 3.00 ³ 9:14 ³72.6% º º 12 ³Leprechaun Software³VirusBuster³ 4.03.09³ 4:24 ³67.4% º º 13 ³Trend Micro ³PCScan ³ 2.65 ³ 2:33 ³65.9% º º 14 ³IBM ³IBM AV ³ 1.02 ³ 5:01 ³65.2% º º 15 ³Trend Micro ³PCRXScan ³ 1.10 ³ 2:18 ³41.6% º º 16 ³NetZ Computing ³InVircible ³ 5.05 ³ 2:21 ³ 17.2%º ÇÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÁÄÄÄÄÄĶ º 17 ³Carmel Software ³TNTVirus ³ 8.95 ³ FAILED TEST º º 18 ³Central Point ³CP AV ³ 2.00 ³ FAILED TEST º º 19 ³Leprechaun Software³"V" ³94.07 ³ FAILED TEST º º 20 ³Microsoft ³MS AV ³ 6.22 ³ FAILED TEST º º 21 ³Servile Software ³Red Alert ³ 1.50 ³ FAILED TEST º ÈÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍͼ Note 3: In fairness to InVircible's author I must point out that he has an unusual "generic" approach to anti-virus protection and claims that his scanner was deliberately programmed to recognize only a handful of "common" viruses. I am not convinced that this approach has any real merit. ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ =================================================================== fin