COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas 26/02/95 FidoNet 5:7102/119 TopNet 225:2048/1 InterNet iandoug@cybernet.za (changing soon) InterNet iandoug@hyper.active.co.za (changing soon) =================================================================== Major story this month is a toss-up between Inkatha walking out of parliament, and Winnie's antics. However since neither has anything to do with computers, we shall have to talk about something else :-) It is that time of the year again - March. So what, you say? Well, Michelangelo activates on the 6th. On the 15th, Maltese Amoeba activates. And for good measure, Exe_Bug activates the whole month long. Please people, all three will make a mess of your hard disk, so please take the time to use a decent scanner and make SURE that you don't have any of these - they are all in the wild here in SA. Check your CMOS is correct first, Exe_Bug messes with it... =================================================================== From FidoNet, warning for Doom players: "I've discoverd that the DOOM II DEATH virus is spread by a Doom Cheater; D16CHEAT.ZIP - 8977 Bytes -- 19-Dec-1994 I've disassembled the EXE file in this ZIP (D16FIX.EXE) and it is rather tricky; This Dropper is ** NOT ** detected by any of the (to me) known anti-viral tools." =================================================================== JU> BTW have you heard about any viruses on an Amiga ?? I don't seem to JU> remember anyone who made a virus for it... i remember one... a friend of mine had an amiga... he said there was a virus that changed his pointer into something closely resembling a penis (which became erect whenever he clicked the mouse buttons)... =================================================================== There was a story that Gene Paris, of the underground group NuKE in the USA, and who made a 'name' for himself by taking over the FidoNet Virus conference last year, and was jailed for various illegal activities, got out on parole. He left his state, which got him rearrested, and he is now back in jail. =================================================================== A gentleman by the name of ZorPh1x (more or less) has set himself up as the phreaking king of South Africa, and has been producing the cutely named Southern Underground Digest, dedicated to the noble art of stealing money from Telkom. This filezine draws heavily on underground publications from the USA. He also had the cheek to publish (verbatim and without permission) (along with his own sarcastic comments), an article I wrote for an anti-virus newsletter. He also goofed in ascribing articles to me which I did not write. So, to return the compliment, here is the only interesting article from all the issues of the SUD. It is about the so-called 'boxes', which are used to get free phone calls etc. Name Operation ==== ========= Acrylic Steal Three-Way-Calling Call Waiting and programmable Call Forwarding on old 4-wire phone systems, it will not work in South Africa because we have no 4-wire phone systems. Aqua Drain the voltage of the FBI lock-in-trace/trap-trace, or that is what they say, but this thing is bullshit. Beige Lineman's hand set Black Allows the calling party to not be billed for the call placed if the receiver of the call is on an electro mechanical 7 exchange. Blast Phone microphone amplifier Blotto Supposedly shorts every fone out in the immediate area, will also only work on pulse exchanges, on an electronic exchange you will just blow a fuse or melt one wire. Blue Emulate a true operator by siezing a trunk with a 2600hz tone (Partially true) Brown Create a party line from 2 phone lines Bud Tap into your neighbors phone line Chartreuse Use the electricity from your phone line Cheese Connect two phones to create a divertor Chrome Manipulate Traffic Signals by Remote Control Clear A telephone pickup coil and a small amp use to make free calls on Fortress Phones, we just don't have Frortress Phones in South Africa. Color Line activated telephone recorder Copper Cause crosstalk interference on an extender Crimson Hold button Dark Re-route outgoing or incoming calls to another phone Dayglo Connect to your neighbors phone line Divertor Re-route outgoing or incoming calls to another phone DLOC Create a party line from 2 phone lines Gold Trace calls tell if the call is being traced and can change a trace, but only on US systems with old CID. Green Emulate the Coin Collect on US payphones. Coin Return and Ringback tones Infinity Remotely activated phone tap Jack Touch-Tone key pad Light In-use light Lunch AM transmitter Magenta Connect a remote phone line to another remote phone line Mauve Phone tap without cutting into a line Neon External microphone Noise Create line noise Olive External ringer Party Create a party line from 2 phone lines Pearl Tone generator Pink Create a party line from 2 phone lines Purple Telephone hold button Rainbow Kill a trace by putting 220v into the phone line (joke, try it and let Telkom kill you for blowing a fuse) Razz Tap into your neighbors phone Red Make free phone calls from pay phones by generating quarter tones [on payphones that takes quarters and is in the USA, just won't work in South Africa] Rock Add music to your phone line Scarlet Cause a neighbors phone line to have poor reception Silver Create the DTMF tones for A B C and D Static Keep the voltage on a phone line high on pulse exchanges. Switch Add hold indicator lights conferencing etc.. Tan Line activated telephone recorder Tron Reverse the phase of power to your house causing your electric meter to run slower TV Cable "See" sound waves on your TV [Record it on video and play it back through your amp if you have time to waste] Urine Create a capacitative disturbance between the ring and tip wires in another's telephone headset [really funny joke, like those Doctor Hex tells all the time] Violet Keep a payphone from hanging up, NOT SOUTH AFRICAN PAYPHONES White Portable DTMF keypad Yellow Add an extension phone Interesting that he knows which things won't work in SA.. :-) BTW, please note that Telkom can do all sorts of nasty legal things to you, and cut your phone service, if you connect non-Telkom-Approved equipment to their phone lines... =================================================================== Some follow-ups to items covered in previous articles: Perhaps you remember the story about the 'Good Times' virus? It allegedly spread when you read an 'infected' message on the internet. While many experts immediately said that this was impossible, the author was one step ahead of them, using a totally new mechanism for spreading the 'virus': People. While the message warned about the virus, the message *itself* was the virus - it instructed the reader to warn all his friends etc. So the gullible user forwards the warning message to all his friends, in the process spreading the 'virus'! :-) The message was spread all over the InterNet. Also, many people were aware of the 'virus', and when they saw a message in their inbox with the dreaded subject line, immediately assumed it was the virus, and deleted it without reading it. In reality it was most probably a warning message from a friend :-) This is also unusual for a virus to provide for its own destruction, and halt its own spread. I received mail from David Herselman, sysop of The Lair, objecting to his inclusion in the list of 'underground' BBS's. David insists that he does not carry any viruses on his system. He was also the victim of an underground attack on his previous BBS, Stalkers, about 3 years ago, which resulted in R2800 worth of mysterious phone calls and total system collapse. He is now using more secure BBS software... He wants nothing to do with the underground and others of their ilk. Compuserve has asked other software developers to join it in developing a new 24-bit .GIF format, to replace the current 8-bit format. This format is to be 'free and open'. This is a result of Unisys claiming royalties on the use of it's compression routine in the .GIF format. =================================================================== The Americans are selling viruses again. The price seems to have dropped somewhat since Aristotle was selling his collection for US$100... "Hiya everyone, I have over 4 megs of virii, and related paraphenalia. If anyone out there is interested, get in contact with me at the email address below. The price is $15.00. That might seem high, but these will be on disks, and this also includes shipping and handling. So if anyone out there wants a nice collection of sorted virii, I have what you are looking for." Another group is selling a whole kit: Welcome to The Viral Collector's Kit #1 by The Knights of Chaos --------------------------------------------------------------- This collection was put together over the years by the members of The Knights of Chaos and is now presented to you as a part of our Viral Collector's Kit. What you get in Viral Collector's Kit #1 ---------------------------------------- You Get: Virus Tools and Files * 270 Viruses in our Numerical, A, B, and C Groups (BBS Ready! Pre file_id.diz'd) * Nowhere Man's Virus Construction Lab * Mad Maniac's Mutation Engine for Polymorphic Viruses * Dark Slayer's Confusion Engine for Polymorphic Viruses * GenVirus Construction Lab (French) * KOH, An encryption virus for keeping your data secret * 9 virus ASM files by Immortal Riot Programs and Disassembling Tools * A86 v4.00 Macro Assembler (Shareware) * D86 v4.00 Debugger (Shareware) * Disaster v1.0 Disassembler (Shareware) * ASM Editor Three (Shareware) * Nowhere Man's NowhereUtilities * Detector, A Virus Strain detector * CatDiz, A File_id.diz cataloging system (Freeware) * Dizview, View Diz files within Zip Files (Shareware) * UUENCODE & UUDECODE for sending us files via internet Virus Scanners and Virus Signature Update Files * VSUMX v4.10 Virus Summary Hypertext (Shareware) * McAfee Scan v2.14E (Shareware) * Latest Central Point Anti-Virus 2.x Signature Updates For Dos and Windows released 01/06/95 * ThunderByte Anti-Virus v6.31 with processor optimized EXE files. Informational Texts and 'Zines * Skism's 40Hex Magazine Issues 1 through 13 * Phalcon/Skism's Virus Texts 1 through 5 * Crypt Newsletter Issues 1 through 29 (missing issues) * NuKE InfoJournals 1 through 8 Miscellaneous * Knights of Chaos' PGP Public Key * K-RaD README Hypertext intro (Be sure to read it!) =================================================================== Date: Sun, 19 Feb 1995 15:45:38 +0200 (EET) From: Mikko Hypponen Subject: Australian tax office I just heard a rumour that the Australian tax office was closed (on friday?) due to a nation-wide infection of the 'No Frills 2.0' virus. Can anyone confirm or deny this information or does anybody have more details on this? =================================================================== Date: Wed, 22 Feb 1995 20:12:16 +0200 (EET) From: Mikko Hypponen Subject: F-PROT Gatekeeper - free test phase in progress We are happy to announce that the free public test phase of our F-PROT Gatekeeper for Windows antivirus product has started today, the 22nd of February 1995. F-PROT Gatekeeper is an antivirus application that runs in the background of MS-Windows and checks memory, accessed programs and boot sectors with the award-winning F-PROT Secure Scan technology - finding even the toughest polymorphic viruses and the most cumbersome high-level language viruses as soon as they are about to enter the system. F-PROT Gatekeeper has been through three major revisions, all of which have been thoroughly tested by a closed beta tester group with more than 80 participants all over the world. We are confident that the technology we are using is highly compatible with any machine currently running Windows. However, in order to test Gatekeeper more widely in real-world situations and with as many different machines as possible and also to get more feedback and comments, we are now starting a public test phase - everybody is encouraged to participate and try out the product for free. To join in, retrieve a copy of the software from our FTP or WWW server. The archive contains more information and a time-limited copy of the software - the evaluation version will expire on the 1st of April, 1995. To get a test version of Gatekeeper via FTP: Ftp to ftp.datafellows.fi, login: ftp, password: your e-mail, retrieve file /pub/gatekeep/gk-eval.zip (in binary mode) To get a test version of Gatekeeper via WWW: Access page http://www.datafellows.fi/gk-eval.html with your WWW browser and choose the download link. Please send requests for more information and all your feedback by e-mail to address feedback@datafellows.fi. =================================================================== From: Abdulelah Al-Abbas Subject: BEWARE of 'LOVE MODULE' Bitnet VM Worm (VM/CMS) Date: 10 Feb 1995 11:16:02 -0000 In the past few days, a new "distributes itself to everyone in the NAMES file" Bitnet VM Worm has been spotted on our node (SAKAAU03) arriving to us from different other BITNET nodes. It's called 'LOVE MODULE'. We've managed to extract the REXX source code from the MODULE file, and found out that it's originated from Brazil (node BRUFPB) and does the following (when you run 'LOVE MODULE'): 1) Sends a copy of your 'userid NAMES' file to the following user in Brazil: 94112923 @ BRUFPB 2) Displays a message in the Portuguese language on your terminal screen. (see below - Ian) 3) Distributes itself ('LOVE MODULE') to all the users in your NAMES file. 4) Erases itself ('LOVE MODULE') from your disk. 5) Erases your 'userid NETLOG' file. We're trying our best to stop the spread of this worm. For our node, we've warned all the users not to run it, and we've erased all the copies found in their RDR, but since this worm came to us from outside our node, this means that it might be spread on many other BITNET nodes. So, if you're on a VM system connected to BITNET, and you get a copy of the file 'LOVE MODULE', **** DO NOT RUN IT ****, JUST ERASE IT. *********************** This kind of "distributes itself to everyone in the NAMES file" worm is not new. There have been many Bitnet VM worms of the same idea but with different names scattered over BITNET in the past few years. Some of those that I can still remember are: 'XMAS EXEC' 'CHRISTMA EXEC' 'EID EXEC' 'RAMA EXEC' 'EMPIRE EXEC' 'VIPER MODULE' 'MADONNA MODULE' But this one ('LOVE MODULE') has gone too far! It steals copies of the NAMES files of all the users who run it and sends it to the author of the worm! This a CRIMINAL act!! It's like stealing somebody's personal telephone directory and looking at it. The author of 'LOVE MODULE' MUST be punished! Regards, Abdulelah Al-Abbas +----------------------------------+-----------------------------------+ | Abdulelah Al-Abbas | E-mail: KAAUGULF @ SAKAAU03 | | Node Administrator of SAKAAU03 | CCA3612 @ SAKAAU03 | | P.O.Box 1540, Jeddah 21441 | Phone: (966-2) 695-2772 Office | | Saudi Arabia | (966-2) 695-2399 Office | +----------------------------------+-----------------------------------+ From another correspondent: I'll translate Portuguese Message, in order You Know what it says: - ----------------------------------------------------------- PREZADO USUARIO TEMOS QUE LHE ENFORMAR QUE ESSE PROGRAMA NA VERDADE E UMA VIROSE QUE TEM COMO FINALIDADE PURGAR SEUS ARQUIVOS. APOS A SUA EXECUCAO NAO HA COMO DETE-LA E PORTANTO NESSE MOMENTO EM QUE VOCE LE ESSA MENSAGEM, NAO DEVE HAVER MAIS ARQUIVOS NA SUA CONTA............... OBRIGADO POR USAR A DESTRUTOR EXEC E LAMENTAMOS QUE TENHA PERDIDO TODOS OS SEUS ARQUIVOS. Obs.: NAO HA COMO SABER QUEM E O AUTOR DA REFERIDA EXEC UMA VEZ QUE ELA SE AUTO DESTROI APOS SUA - ------------------------------------------------------------- DEAR USER I HAVE TO INFORM YOU THAT THIS PROGRAM IS A VIRUS WHO HAVE ITS OWN GOAL TO PURGE YOUR FILES. AFTER ITS EXECUTION ITS NO WAY TO DELETE IT AND THEREFORE IN THIS MOMENT YOU READ THIS MESSAGE. THERE'S NO MORE FILES IN YOUR ACCOUNT .................. THANK YOU VERY MUCH BY USING DESTRUCTOR EXEC AND WE WORRY ABOUT YOUR FILE LOST. obs.: THERE IS NO WAY TO KNOW WHO IS THE AUTHOR OF THIS EXEC ONCE ITS DESTROY. =================================================================== From: Klaus Brunnstein Subject: EU office distributes Galicia virus Date: 14 Feb 1995 11:37:40 -0000 In December 1994, European Commission's office for "dissemination of scientific and technical knowledge" distributed a diskette to more than 1,000 European information brokers, patent offices etc containing a CORDIS News (in German) describing its RTD database etc. This diskette contained a system (boot sector/ MBR) infector which besides displaying a message (on May 22nd, after noon: ";Galicia contra telefonica!") also overwrites (unrecoverably) part of a diskette's boot library, and which attempts to format a disk's cylinder. Though this formatting will likely abort, due to a programming error, it is possible that formatting may succeed. Indeed, this virus is malicious and not funny. (For details, see appended VTC Malware Catalog entry). It is even less funny that this EU office when informed about its malicious gift to its customers found it very hard to locate the source of the contamina- tion; they even could not say whether it came from another EU office or from one of their PCs. Only after some time, they claimed to have found 2 potential leaks which their expert said they now have closed. This implies that for some time, EU's information dissemination was a permanent danger for its custo- mers. Even more ironically: this EU office belongs to EU's Directorate General (DG XIII) "Telecommunications, Information Market and Exploitation of Research", which (with its branch "B.6 Security of Telecommunications and Information Systems") is responsible for EU's IT Security Criteria (ITSEC), which also participates actual in joint US/EU attempts to develop "Common Criteria". When being informed about the malicious distribution by its sister office, the head of DG XIII's SOG-IS (Senior Officials Group - Information Security) informed the author that they don't share responsibility for maintaining a proper secu- rity as this is done by the European Commission's Office of Security (a typical bureaucratic approach :-). Moreover, this very nice expert claims that "I re- cognize that such incidents will happen from time to time and that the respon- sibility ***falls equally on both sender and receiver*** to ensure that the most 'hygenic' procedures are used to avoid any unneccessary spread of 'infec- tion'"(quoted from a reply of SOG-IS chair; emphasis added by author). Finally, "controlling viruses is primarily a procedural rather than technical problem". Both an evidently failing AntiVirus policy (if existing) and such expert opinion makes it rather likely that similar incidents will follow. If I were a virus author (being a civil servant, I have NO CRIMINAL energy as I have NO ENERGY at all :-), I would dream of such a large organisations (several 10,000 bureaucrats) with such "awareness". With their intellectual innocence, they'd surely help to distribute my virii if I only succeeded to infect one PC! Mildly shocked: Klaus Brunnstein (Feb.11,1995) =================================================================== From: regrep@iinet.com.au (Gus Perger) Subject: re:Infection via a .WK4 file? (PC) Date: 14 Feb 1995 11:38:01 -0000 Infection through 'Mouse Device Driver' floppies. We bought a batch of new MITSUMI serial mouse, model: ECM-S31Type, in sealed boxes. When we virus checked with McAfee v. 2.1.0 the mouse device driver (version 7.21) disks supplied with the mouse we got this: FORM_A infected, 'No remover currently available'. =================================================================== From: ecd@cert.org (Edward DeHart) Subject: CERT Advisory - NCSA HTTP daemon vulnerability Date: Fri, 17 Feb 1995 18:07:07 EST ============================================================================= CA-95:04 CERT Advisory February 17, 1995 NCSA HTTP Daemon for UNIX Vulnerability ----------------------------------------------------------------------------- The CERT Coordination Center has received reports that there is a vulnerability in the NCSA HTTP Daemon V.1.3 for UNIX. Because of this vulnerability, the daemon can be tricked into executing shell commands. If you have any questions regarding this vulnerability, please send e-mail to Beth Frank at the NCSA, efrank@ncsa.uiuc.edu. In a related story, crackers have developed a new technique called 'spoofing', whereby they send mail with a fake address, from the system they are attacking. The technique allows them to gain root access under some conditions, which allows them to do anything they like.... ------------------------------------------------------------------------ [...] Using a new program, researchers say they are able to predict when a terminally ill person will die with more accuracy than doctors using their own judgment. The study could help doctors determine which treatments should be given to terminally ill patients and help decide when life-support efforts should be stopped. ``The computer remembers thousands and thousands of cases and keeps the different risk factors in perspective," said Dr. William A. Knaus of George Washington University. Knaus led the study, published in the Jan. 31 issue of the Annals of Internal Medicine. ``And when we included the survival estimate from the patient's own physician in the model, the two together predicted time until death more accurately than either alone," he said. The program was developed from June 1989 to June 1991, using information from 4,301 patients. It was tested from January 1992 to January 1994 on 4,028 patients, Knaus said. The program, called SUPPORT (Study to Understand Prognoses and Preferences for Outcomes and Risks of Treatments), focused on nine diseases and conditions, such as liver disease, colon or lung cancer, heart or lung disease and multiple organ failure. Knaus said he was confident that Support will prove reliable and eventually be expanded to predict death rates for other diseases. Seriously ill patients with a projected life expectancy of six months were entered in the study when they were hospitalized. [...] ``Most adults say that if they are going to die within a year, they want realistic estimates of their risks, both in the immediate future and during the next few months," Knaus said. ``This predictive tool is important for its use for counseling very sick patients and their families." However, not everyone agrees. Toby Gordon, vice president for planning and marketing at Johns Hopkins Hospital and Health Systems in Baltimore, said the program raises questions. ``Any information that helps us learn how to better take care of patients -- in quality of care and quality of life -- makes a contribution," Gordon said. ``But whether patients and their families will want to use it is questionable." He also questioned the ramifications of being able to accurately predict death. ``In the expansion of computer-assisted technology we will see a proliferation of these techniques, bringing into question ethics and rationing of care," he said. The authors warned that the project has not been tested outside the strictly controlled settings of teaching hospitals. Its reliability in conventional hospitals settings has not been established, they said. =================================================================== KCBS Radio (San Francisco) reported tonight that The Well and Netcom combined efforts, resulting in the arrest of 31-year-old hacker Kevin Mitnick in Raleigh North Carolina. Both companies discovered large caches of data being stored on their systems. At the same time, "a well-known San Diego consultant" discovered security breaches in his system. This led to vigorous efforts to track the hacker, and after 24-hour electronic surveillance and at least one cellular phone trace, law enforcement officials arrested Mitnick. Mitnick's early escapades are chronicled in the book _CYBERPUNK_ by Katie Hafner and NY Times reporter John Markoff, and, in fact, Mitnick is accused of breaking into Markoff's computer. Mitnick, a fugitive from justice, faces up to 30 years in prison for various crimes, including allegedly breaking into NORAD computers. Law enforcement officials are now wrestling with jurisdictional issues, as Mitnick is wanted for crimes in at least six different jurisdictions. [See excellent articles by John Markoff in *The New York Times*, 16 Feb (TWO) and 17 Feb 1995. I could not begin to excerpt these three long articles, and of course cannot include them in their entirety. But they are very well done. PGN] =================================================================== Thieves broke into a van and stole an Oregon woman's ATM card and discovered her PIN number written on her Social Security card. They then made repeated withdrawals, covering 100 miles and visiting 48 ATM machines over a three day period. (Friday night - Monday 2 AM) They were able to get $346,700 in cash with the help of some questionable computer systems. 1) Ordinarily there is a $200 daily limit for withdrawals, However, "because of a computer program change at the Oregon TelCo Credit Union, the limit was not in effect that weekend." 2) When the account was down to zero, the thieves fed empty deposit envelopes into the machine and credited the account with bogus deposits of $825,000 -- and then made withdrawals against this sum. Technology did work in at least one respect. At least 5 of the machines had taken photos of the people using the stolen card. Three persons are in custody and are facing Federal charges. [From an AP report in the New York Times 12 Feb 1995.] =================================================================== STOCKHOLM, Sweden (AP) -- Pedophiles have found a home on the Internet and exchange hundreds of pictures a week through anonymous conduits, a researcher said Monday. The statistics provided a glimpse at the scope of the potentially illegal activity, which police fear can lure kids into sex. It came from a study by Mats Wiklund, a researcher at Stockholm University's Institute of Computer and System Science. During a seven-day period in late December and early January, Wiklund counted 5,651 messages or postings about child pornography in four electronic "bulletin boards." The author makes the following key points: * Many graphics showed what appeared to be "adolescents engaged in sexual acts." A few showed young children, apparently to attract the interest of other pedophiles. * The messages tracked and counted were a fraction of the total traffic, since Wiklund was unable to track private e-mail and scanned only about half of the porn-related groups he knew of. * Most of the pornographic messages were sent through the anonymizing server located in Finland. * The Internet offers advantages to pedophiles: "The Internet has become a channel of communication for pedophiles," Wiklund said. "From their point of view, they've found a green technology. You can be anonymous and still be reached." * Exchanging pornography electronically is a crime in many areas of the world: In most countries the distribution of child pornography is illegal. Two years ago, U.S. police raided about 40 locations where people were exchanging child pornography by computer. Two Danes were convicted in 1993 of transmitting child pornography to an estimated 6,000 people worldwide. * 85% of the messages Wiklund scanned were fantasies about sex with children or technical tips on how to transmit pornographic pictures. * Law enforcement officials are still unsure of how to handle this traffic: Finnish detective Sgt. Timo Laine said it was unclear whether the country's laws would apply to "electronic smuggling" by computer. He said did not know whether police would take action against the computer owner in Finland. "We've never had this kind of case before," Laine said. "If I transmit this information through the Internet, is it considered smuggling?" M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn (Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC) =================================================================== ONLINE SPYING While you're connected to your favorite Web page, it's also connected to you, and could be copying all sorts of information off your hard drive, say industry experts. In fact, it happened last year when Central Point Software used registration software developed by Pipeline Communications, and inadvertently also gathered descriptions of the users' systems -- the type of microprocessor, the version of DOS and Windows, the type of display and mouse, and the amount of free space available on the hard drive. Customers squawked, and Central Point had Pipeline change the software. However, Pipeline reports that at least one of its clients is using the scanning feature now -- but only after getting the owner's permission. The lesson? "If you can't trust it, don't connect to it." (Forbes 2/13/95 p.186) =================================================================== From: T.E.Thacker.Junior@lesueloc.com Subject: Re: Mainframe Viruses? (IBM VM/CMS/etc) Date: 25 Jan 1995 13:10:08 -0000 We actually had a mainframe virus at Illinois State University in the mid 1970's. It was called "Cookie Bear". Rumor had it that some rogue professor had planted it for some reason. The virus took advantage of a loophole in the OS/VS operating system. Access to each 4K page frame was controlled by an access control word. Trying to access a frame with a control byte not your own would produce the infamous SOC/7 abort. (I'm doing this from 19-year memory so bear with me). Unfortunately this control word was actually a control byte! (The OS was designed during a time when 128kb was a LOT of core memory!) All it had to do was randomly try page frames to catch frames matching it's control number. It would then look for sequences it could bogart in Privileged Mode page frames to do it's dirty work. It would then make several dozen copies of itself and tack it into the beginning of other programs. Then it would perform it's payload: It would randomly interrupt CICS and VTAM sessions and present a screen asking "Cookie Bear Want's a Cookie!". The user could clear the screen and continue - but their unsaved screen was lost. Ten minutes later it would ask again. Then five minutes. Then two. Then one. Then 15 seconds. It would get so frequent it would force the user to log off and seek another terminal. The operators & managers couldn't catch it because it could move itself around and hide in "data" segments. (Mainframes at that time could and did intermingle code and data. In fact, the COBOL ALTER verb was an acquiescence to mainframe programmers that wanted to perpetuate their self modifying code. The famous "Trap Door" was a Branch Around Never "NO-OP" instruction. The next instruction would overwrite the previous with a "Branch Around Always" instruction - slamming the door behind it. This was their way of performing a "first Time Only" section. In COBOL this became the instruction "ALTER PREV-PARA TO PROCEED TO AFTER-1ST-TIME-PARA."). Anyway nobody could figure how to get rid of all copies of this thing and it was tying up all the terminals. Until...... One day a freshman who was entering source for a project got the message "Cookie Bear Want's a Cookie". He typed in the word "COOKIE". It said "NO! Cookie Bear Want's a Cookie!". He typed in "OREO". It said "THANK YOU! BYE!" and then proceeded to wipe every copy of itself it had made out of the system! =================================================================== Snippets from the press: Novell and Microsoft shut down the "Deadbeat BBS", run by a New Jersey, USA, teenager. It was distributing more than 60 different software and beta-release packages from the two companies. The teenager agreed to pay US$25 000 in restitution. The Business Software Alliance (BSA) and the Mexican Computer Software Industry Association bust four software pirates in one Mexican shopping centre. They used trademark infringement, rather than copyright infringement as a legal reason for the raid. The penalties are higher. Users of RM/Cobol in SA have been granted till 31 March to legalise all illegal copies of the software. They will also be able to upgrade at a reduced price. In what was to me a rather embarrassing press release, BSS's Computer Virus Helpline reported 'a new highly infectious computer virus': Kaos4. Alert readers will immediately recognise the name from several months ago, when it was spread via one of the sex UseNet groups on the InterNet. It resulted in a few infections here in SA, more worldwide, and can hardly be classified as 'new'. IBm has recalled some 150 000 Thinkpads worldwide, due to a possible fault in the AC adaptors. Only about 150 were affected in SA. If your AC adaptor is model AA19210, with a date code of 94XX, then you should get it checked. It will be replaced free of charge. MasterCard have teamed up with Netscape Communications, who make the NetScape InterNet browser, to connect their private network to the world. This will allow anyone on the net to get authorisation on a MasterCard, and enable us all to do Electronic Funds Transfer. The entry-level for hard disks, which was at 40MB when I got my first computer, has now moved up to 420MB. Maxtor has announced three new drives, storing 425MB, 850MB, and 1,2GB. The catch is that the 425MB has only ONE platter, the 850MB has two, and the 1,2Gb has three platters. By comparison, my state-of-the-art Conner 420MB has 8 platters... For the first time (almost) since PC's began, MS-Dos was not the top selling software in the USA in November 1994 (latest figures available). The usurper? IBM's OS/2 Warp. IBM also have pre-production PowerPC 610 chips running at 400MHz. This is about 5 time the power of a Pentium... A new term has made it into legal history in the USA: CyberStalking. At least one case has already come to trial. Guess we will have to be careful with our e-mail in the future... :-) The issue is causing concern at some corporates in the USA. =================================================================== Current versions of popular anti-virus software in SA: McAfee: v2.14e F-Prot: v2.16 ThunderByte: v6.32 AVP: v2.1 Oliver Steudler of Dynamic Solutions reports lots of Exe_Bug, as well as Slydell, Michelangelo, and Jerusalem. Mitch Dove of Gas Software, Johannesburg, reports the following cases. Burgersford - Stone B Cape Town - Exebug A Jhb - Lulu Jhb - Exebug B Jhb - Stone standard Kimberly - Stone standard Paarl - Exebug and Stone standard Jhb - B1 and Michaelangelo Krugersdorp - Exebug A Randfontein - Exebug B Anthony Naggs of the CSIR reports 'Exe_Bug everywhere'.... =================================================================== Scanner tests: Patricia Hoffman's Vsum, January 1995. Note version numbers and dates first tested. Also note that there are over 5000 known viruses. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º VSUM Virus Library Version: X501 Date: Jan 31, 1995 º º Total Viruses: 2,831 File Viruses: 2,739 Boot Viruses: 92 º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍ͹ º VSUM Certified º 1st º - Viruses Detected - º Tot º º Product Name & Version º Cert º Total ³ Boot ³ File º % º ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍÍÎÍÍÍÍÍÍÍØÍÍÍÍÍÍØÍÍÍÍÍÍÍÎÍÍÍÍÍ͹ º DOS Based Scanning Products: º º ³ ³ º º º ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ º º ³ ³ º º ºøCommand Software's F-Prot º º ³ ³ º º º Professional 2.13 º X406 º 2,701 ³ 90 ³ 2,611 º 95.4 º º Dr. Solomon's AVTK 6.69 º X411 º 2,721 ³ 90 ³ 2,631 º 96.1 º º IBM Anti-Virus/DOS 1.07E º X411 º 2,596 ³ 91 ³ 2,505 º 91.7 º º McAfee Assoc ViruScan 2.1.4 º X501 º 2,719 ³ 92 ³ 2,627 º 96.0 º º Norton Anti-Virus 3.05 º X501 º 2,147 ³ 86 ³ 2,061 º 75.8 º º Sophos' Sweep 2.67 º X411 º 2,711 ³ 87 ³ 2,624 º 95.8 º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÊÍÍÍÍÍÍÍÏÍÍÍÍÍÍÏÍÍÍÍÍÍÍÊÍÍÍÍÍͼ From an unknown source: ANTI-VIRUS SCANNER TEST NOTES AND SUMMARY ... 5 December 1994 ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ The test directories contain a collection of 4709 virus-infected files and Trojans from the German virus research group, VirusTeknik. The filenames are not fully correlated, and in many cases bear no resemblance to the actual virus names or Trojan names. There are NO duplicates (ie: no identical files under different names) in the collection. ÉÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÑÍÍÍÍÑÍÍÍÍÍÍÍÍ» º# ³ Company ³ Product ³Version ³Time³Rating º ºÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÄÄĶ º1 ³ESaSS-Thunderbyte ³TbScan ³ 6.30 ³1:14³100.0% º º2 ³Frisk Software ³F-Prot ³ 2.15 ³2:03³ 93.4% º º3 ³H+BEDV GmbH ³AVScan ³ 1.79 ³1:04³ 88.4% º º4 ³Stiller Research ³I-Master ³ 2.31a ³1:09³ 87.0% º º5 ³McAfee Associates ³Scan ³ 2.1.3 ³2:29³ 85.8% º º6 ³VDS Adv. Research ³VDS ³ 3.0q ³1:16³ 82.3% º º7 ³KAMI Corp ³AVP ³ 2.1b ³6:59³ 80.6% º º8 ³Datawatch Corp ³Virex ³ 2.94 ³2:54³ 80.1% º º9 ³McAfee Associates ³Scan ³ 1.17 ³5:57³ 79.9% º º10³Cybec ³VET ³ 7.711 ³1:06³ 79.8% º º11³Symantec ³Norton AV ³ 3.00 ³1:02³ 76.7% º º12³Dr Solomon's S&S ³FindVirus ³ 6.55 ³2:52³ 74.8% º º13³Trend Micro ³PCScan ³ 4.02 ³2:56³ 74.3% º º14³Leprechaun Software³VirusBuster³ 4.04.03 ³2:16³ 70.2% º º15³IBM ³IBM AV ³ 1.02 ³2:03³ 67.4% º º16³Trend Micro ³PCRXScan ³ 1.10 ³0:59³ 43.3% º º17³NetZ Computing ³InVircible ³ 6.01 ³0:46³ 10.8% º ÇÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÅÄÄÄÄÁÄÄÄÄÄÄÄĶ º00³Carmel Software ³TNTVirus ³ 8.95 ³ FAILED TEST º º00³Central Point ³CP AV ³ 2.00 ³ FAILED TEST º º00³Leprechaun Software³VB Lite ³94.12 ³ FAILED TEST º º00³Microsoft ³MS AV ³ 6.22 ³ FAILED TEST º º00³Servile Software ³Red Alert ³ 1.50 ³ FAILED TEST º ÈÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍͼ In fairness to InVircible's author I must point out that he states that he deliberately programmed his scanner to detect only a few "common" viruses. (10.8% in this test.) InVircible relies on its ability to "clean" hard disk files after they have been infected. To which Zvi Netiv, author of InVircible, produced his own ratings: SCANNERS FIGURE OF MERIT RATING =============================== by Zvi Netiv, NetZ Computing Weighted rating = (A + B + C) / 3 ----------------------------+ A. Confidence level, in percents ------------------------+ | B. Percent of viruses that can be removed -----------+ | | C. Number of viruses handled (percents) -------+ | | | +--+-------------------+-----------+---------+-|--+--|-+-|--+--|---+------+ |# | Company | Product |Version |#det|Rem%|Conf|Rating| Corr.| |--+-------------------+-----------+---------+----+----+----+------+------+ |1 |KAMI Corp |AVP | 2.1b | 80 | 75 | 99*| 84.6 | 90.6 | |2 |Dr Solomon's S&S |FindVirus | 6.55 | 74 | 75 | 99*| 82.6 | 90.3 | |3 |Frisk Software |F-Prot | 2.15 | 93 | 70 | 70 | 77.6 | 78.3 | |4 |NetZ Computing |IVscan | 6.01 | 11 | 98 | 99*| 69.3 | | |5 |McAfee Associates |Scan | 1.17 | 79 | 20 | 20 | 39.6 | | |6 |Stiller Research |I-Master | 2.31a | 87 | 0 | 30 | 39 | 35.3 | |7 |McAfee Associates |Scan | 2.1.3 | 85 | 15 | 15 | 38.3 | | |8 |ESaSS-Thunderbyte |TbScan | 6.30 |100 | 0 | 2 | 34 | 32 | +--+-------------------+-----------+---------+----+----+----+------+------+ (*) Note: Scanners marked "*" use deception resistant algorithms. The number of detected viruses in the above table is based on the tests with 4709 samples above, based on a collection that is favorable to Tbscan, hence its 100% rating in the category of the number of detected viruses. Using a more objective source, like Vesselin Bontchev's tests from July 94 (AVP - 98%, Findviru - 97%, Tbscan - 94%, F-Prot - 95%, I-M - 76%), would yield corrected ratings as on the righthand side of the table. =================================================================== fin