COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas FidoNet 5:7102/119 TopNet 225:2048/1 InterNet iandoug@aztec.co.za April 1995 Edition =================================================================== Major story award this month must go to the so-called Sound Card Virus. This virus, which was discovered in Cape Town this month, and appears to be locally written, takes virus-transmitted evil to new despicable levels. The virus infects .com and .exe files, and is not detected by any of the current scanners, even in heuristic mode. The virus is encrypted and uses fairly standard techniques to replicate. This virus activates on 1 April of any year, at which time it checks if there is a sound card installed in the computer. If so, it immediately begins feeding subliminal messages to the sound card. Subliminal messages are messages at such low volume that you do not consciously hear them, but your subconscious does. The virus contains these messages in digitised form. The messages contain suggestions like "Kill!", "Steal! Steal!", "Rape Her!", "Worship Satan!", and others which I can't put in a family magazine. The voice used sounds like that of a 16 year old girl. The virus has been forwarded to overseas anti-virus authors. =========================================================================== The OTHER major story of the month is naturally the havoc caused by Exe_Bug and Michelangelo, both of which activate in March, and make a mess of your hard disk. Oliver Steudler reports that this year was the worst it has ever been for Michelangelo. Together with Exe_Bug, he was getting 15-20 calls a day pleading for help. I also heard of some other victims, including machines at a prominent multinational computer company. No doubt many computer shops persuaded some victims that they needed a new hard drive, when all they needed was a reformat and restore. Since the 6th (Mich trigger date) was a Monday, it was a really blue Monday for many people. An insurance company had 40 PC's trashed by Exe_Bug. A specialist paging service also got hit, which resulted in some key clients not being paged for medical emergencies. * ``This year has been the worst, without question,'' said Ken Coleburn, owner of a computer consulting firm in Tempe. His company fielded 140 calls this year, compared with about 30 last year. He suggested this might have been due to Michelangelo's birthday falling on a workday this year. * RG Software Systems in Scottsdale, Ariz., which sells anti-virus software to large companies worldwide, was contacted by three prospective customers in other states Monday. They apparently had lost crucial computer data to Michelangelo, RG Software owner Ray Glath said. "Even though Mich is a ``primitive" virus, & easily removeable, I heard thru my girlfriend in Ohio that a city in Tennessee got hit bad with this virus. The short version is that it got into the network of a legal firm, & from there spread to every law firm in town & crashed all of their computers. She said that the news anchor had a hard time keeping a straight face during while she read the story, & at the end broke down in giggles." I also received other reports from around the country about Exe_Bug. BSS in Johannesburg reported up to 60 calls a day about Exe_Bug. =========================================================================== From : Bob Falcon 1:273/907 23 Feb 95 20:05:00 Subj : Money Virus ALERT !!!!! ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Hi All, A Good friend of mine just got bit by the MONKEY Virus. It was contracted from RADIO SHACK PRE-FORMATTED Diskettes! So do yourself a favor, DON'T buy Radio Shack's PRE-Formatted Disks or RE-Format the disks B4 you use them! Have a good one,Catchya later, Bob Falcon (Co-Sysop Tower Wildcat! BBS) (215-535-5816 Fidonet 1:273/907) =========================================================================== "I have had people upload a program called LSZMODEM.ZIP which claims to be a fractal compressing Zmodem comptaible Xfer protocol and claims to speed up Xfers by up to 1000%, I though this was slightly suspicious and found the file to be a trojan. The file was uploaded about 17 times after 40hex.zip disappeared from the BBS." =========================================================================== The Night Owl 15 CD has a virus on it, in a file which is supposedly a cheat for Doom 2. The virus, Taipan.666, is in NETCHEAT.EXE. It is PkLited, some scanners will not find it unless you first get rid of the PkLite. The virus contains the following text: DOOM2.EXE Illegal DOOM II signature Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2 Say bye-bye HD The programmer of DOOM II DEATH is in no way affiliated with ID software. ID software is in no way affiliated with DOOM II DEATH. It increases the length of infected files by 666 bytes. The same file is also apparently on the Doom II Mania CD-ROM. From: Tom=Juno%ComputerSvcs%GWC@banyan.cccd.edu (Tom Juno) Subject: Doom II virus I recently purchased a CD at one of the computer "swap meets" and lo and behold after using it, my Xtree Gold wouldn't quite function right. Eight of the XTP files had been invaded by the Doom II virus. A quick check with McAfee Scan 117 yielded nothing, but an ASCII search of my entire hard drive found the Xtree files. A similar search of the CD found the culprit in several EXE files. The name of the CD is "Doom II Mania!!! Vol 1" and is labeled as being from Tech Express Software in San Jose. Luckily the virus is just a file builder with a scary message, but will eventually affect the operation of the program containing the infected files. I searched for the text "bye-bye" and was quite successful at replacing the offenders. The infecting files from the CD were several copies of SEE.EXE, XDOS.EXE, MAKEMAP,EXE, and DEICE.EXE. =========================================================================== Be careful of using DOS Fdisk on drives that have non-DOS partitions - you could end up deleting the wrong partition. Fdisk does not always see these non-DOS partitions. IBM's OS/2 v2.11 of Fdisk introduced a new undocumented switch, FDISK /NEWMBR, which replaces the main boot record, including the partition table, with the backup copy that was automatically created. ============================================================================= "From: "Rob Slade, Social Convener to the Net" Subject: McAfee and Monkey (PC) Date: 7 Mar 1995 12:06:25 -0000 "I've just had another report from a user who had problems using the McAfee product to disinfect the Monkey virus. In this case, problems showed up after the disinfection, and an attempt to rectify them with Norton Disk Doctor only made things worse. Using the NDD "undo" function and a trip to a recovery outfit allowed recovery of "about half" the files on the computer." Monkey is not yet rife here in SA, so it should not be a problem. Note also that no mention is made of version numbers for the McAfee software. However, there is a very good disinfector for the monkey virus, called KILLMNK3. ============================================================================= Snippets from the Net: The Manchester Guardian Weekly (week ending March 4, 1995) reported that, in this year's Vienna Marathon, the runners will have to wear specialized computer chips buried inside (or attached to) their shoelaces. The purpose is to ensure that the runners stay on course. Last year, some took short cuts while an Italian rode some distance on the underground. On a different matter, Cynthia Dwork of IBM Almaden wrote in ACM SIGACT News 26(1) (March 1995) that the authentication procedure using public-key systems in Lotus Notes, as described in its "Internals online book", has security flaws. Lotus's response is (1) the actual system does not work as described in the manual and (2) how it actually works is proprietary information. A Lawrence Livermore National Laboratory employee was found innocent of misusing lab computers to store sexy photos. Accused of accessing 33 photos of bikini-clad women from an Internet site called "supermodels", the employee said he thought the photos were related to engineering. The employee has been promoted since the initial charges. =========================================================================== [Article in Computing, 2 March 1995, front page] Risk system comes too late to prevent Barings' collapse Collapsed merchant bank Barings was only months away from installing a risk management system in its Far East offices which was intended to alert senior executives to gambles being taken with the company's money. Barings, the UK's oldest investment house, was plunged into financial ruin last weekend when 28-year old Nick Leeson lost more than UKP 750 million of clients' funds on the Singapore derivatives exchange. In January 1994, the bank began rolling out a communications architecture called BORIS (Barings Order Routing & Information System) to improve the processing of information about deals. Prior to this, Barings staff had used paper and fax machines to excahnge information. BORIS had gone live in London, Tokyo and New York, with Barings' Far East offices, including Singapore, set to follow by mid-1995. An extension to BORIS, dealing specifically with risk management, went live in London HQ in the last few weeks and was also set to be rolled out in the Far East in the near future. Dealing in derivatives involves betting on the movement of shares on national stock exchanges and carries substantial risk of losing vast amounts of money. Frank Ranger, a director of City Consultants, said any system intended to manage that risk needs access to data from every market involved in the transactions. `There is a clear need to get consolidated informatin from products in some sort of control function,' he said. Peter Hynd, Barings' assistant IT director, was unavailable for comment, but sources believe the bank's existing settlement system contributed to the collapse. The Cash Risk Management system was supposed to flag cash positions, but if settlements were not processed according to the bank's procedures, it could not do so. ============================================================================= "The one thing the Barings episode illustrates is the productivity for making losses has gone up very significantly in the last 25 years. You couldn't write the execution slips fast enough 25 years ago to lose as much money as was lost by one idividual, aided by terrific technology." Alan Greenspan, chairman of the Federal Reserve, quoted in *The New York Times*, 6 March 1995. ============================================================================= My installer had reported a problem with a converter that he had just installed (to aid in converter control, installers were issued only enough of set top units to complete their scheduled installations for the day. Any problems encountered were referred to allegedly more trustworthy members of the technical staff.) This converter was equipped with an infra-red remote control device. When I arrived at the subscriber's home, the display on the converter was showing "7" and no matter what channel I attempted to turn it it to, the converter always changed back to channel 7. I installed another box, assuming that it would solve the problem--CATV converters are notoriously unreliable despite what your local cable company might tell you. The new converter exhibited exactly the same behavior. Baffled, I stood next to the TV set scratching my head until I happened to turn towards the viewer's sofa and noticed sunshine glinting off the whirling, chrome-plated blades of an electric fan running by the window--and a lightbulb went on inside my head. Sure enough, when I turned the fan off, the problem went away. Turning the fan back on caused the problem to reappear. It seems that the moving blades of the fan were pulse-modulating the sunshine in exactly the right manner to confuse the infra-red receiver in the converter into thinking it was getting the "change to channel 7" command from the remote. I spent almost another ten years in the industry after that and never ran accross that particular problem again. ============================================================================= It appears that the Crisnet 'virus research' BBS has had their telephone number disconnected... ============================================================================= From: bpb@stimpy.us.itd.umich.edu (Bruce Burrell) Date: 14 Mar 1995 08:53:08 GMT The Top Ten Reasons Why You Should Trash MSAV Yesterday: 10) Because it's a piece of junk. 9) Because viruses can disable its tsr with but six bytes of code. 8) Because Dr. Solly, F-PROT, AVP, and TBAV exist. 7) Because it sucks MAJOR hose. 6) Because AVP and TBAV are available as shareware. 5) Because after *years* of complaints, they *still* don't encrypt their scan strings. Hence false positives abound when the TSR is active and other, competent AV packages are used. 4) Because even MicroSoft doesn't use it. 3) Because its detection rate is abysmal. 2) Because F-PROT is free (!!) for non-commercial use. 1) Because the only greater abomination possible on a hard drive is Windows. =============================================================================== From: bretta@extro.ucc.su.oz.au Subject: possible windows virus?? (PC) Date: 16 Mar 1995 12:00:46 -0000 Is this a known virus? I am running Windows NT 3.5, and occasionally several screen icons are replaced by three (so far) different things: 1. A mushroom with "EAT" written on it 2. An orange with an arrow going to an apple 3. A flask with "DRINK XXX" or something on it. They come and go sporadically, but (so far) no ill effects have made themselves apparent. ============================================================================== From: chrisr@globalx.net (Chris Riordon) Subject: Caution: Some copies IBM's Disk Mgr 6.0.3 may be infected. (PC) Date: 21 Mar 1995 21:52:48 -0000 IBM Canada shipped me a copy of Disk Manager 6.0.3 which permits users to manage DOS partitions larger than 1024 cylinders. It needs to be booted in order to work, and the floppy's MBR (Master Boot Record) and boot sectors contain, at no additional charge, a free copy of the Neuville (2KB) virus. I contacted IBM, and while their representative seemed very concerned, especially when I faxed him the details, they have not gotten back to me. The infection is hopefully local (this software was shipped by IBM Canada, likely from Montreal). Moral of the story is... don't trust =anything= regardless of source. Cheers, Chris Riordon. =============================================================================== From: Klaus Brunnstein Subject: Re:Does UNIX Virus Protection Exist? (UNIX) Date: 23 Mar 1995 11:32:22 -0000 Contrary to some beliefs reported in recent Virus-L editions, its pretty simple to write and install UNIX virii! Apart from Fred Cohens original viruses which were tested on UNIX, there have been several publications of UNIX virii (not only Tom Duffs). Transfer is not as easy as in PCs where a given virus may be installed on different versions of MSDOS, as there are differences in the structure of UNIX programs on different platforms. But with some knowledge of the program structure of a given UNIX version, viruses may be easily adapted to infect related executables. In two diploma theses, students here at VTC have tested the efficiency of in- fection mechanisms on a normal as well as on a "secure" (B2) UNIX AT&T System V version; as viruses attack integrity rather than confidentiality (which is measured in Orange Books criteria), we were not surprised that the UNIX viruses easily infected also files in the B2 system. Most of our test viruses were detected by normal integrity checkers; it was not the goal of such work to produce stealth viruses or viruses undergoing integrity mechanisms so we didnot aim at testing limitations of contemporary methods. Summarizing our experiences, its *not* difficult to write UNIX viruses. Virus distribution via program exchange would also work. Though about 10 UNIX viruses are known, they are not distributed mainly due to phsychological reasons. UNIX freaks seem to love their systems so much that they do not intend to destroy their work base; moreover, such freaks are so UNinterested in security (other- wise, they would not use unsecure UNIX!) that they dont think about its evident shortcomings! (Such reasons also apply to MAC freaks though their platform is much more user friendly than UNIX :-) Regards Klaus Brunnstein (March 15,1995) =============================================================================== PORT HARDY, B.C. (CP) -- A Vancouver Island man who used his health card to steal $100,000 from a bank machine has been given a year in jail. Richard Lee Mose, 22, of Port Alice, B.C., was found guilty of theft in Campbell River court. A Bank of Nova Scotia official said a processing problem allowed Mose to use a non-bank card on an automatic teller. With his health-care card, Mose completed several transactions over several hours and got $109,000 dollars. But the bank machine recorded the information stored on the health card, and police traced it back to Mose. =========================================================================== The BBC news at 08.30 reported a slight problem which occurred on the morning of 15 Mar 1995 with the ultra high-tech, packed full of software and therefore utterly wonderful Airbus A340. Apparently on the final part of its approach to Gatwick, both the pilots screens went blank, to be replaced by a polite little message saying "Please wait ...". Somewhat unnerved, the pilots requested that the plane turn left, but it turned right instead. They then tried to get it to adopt a 3 degree approach to the runway, but it chose a 9 degree plummet instead. At this point, from the report, they appeared to gain manual control and landed safely. It is not clear who will pick up the dry-cleaning bill. =========================================================================== Date: Wed, 15 Mar 1995 10:58:37 -0500 From: "Lance A. Brown" Subject: Re: Scientology Blackmail Risk (Vilkaitis, RISKS-16.91) Postings on alt.security.pgp stated that Finnish authorities secured a warrant to seize the equipment the Finnish Anonymous Server runs on. The owner of the Server negotiated a deal with the authorities where he released the identity of _one_ user of the Server and the authorities didn't seize the equipment. My understanding of the behind-the-scenes goings on is that the Church of Scientology is bringing copyright charges against one of its former ministers who is now a vocal critic of the CoS on the Internet. The sequence of events, as I understand it, is that someone used the Finnish Anonymous Server to post allegedly copyright material on USENET. The CoS asked the FBI to talk to Interpol who talked to the Finnish Police about getting the ID information of the anonymous poster. Once this ID information was released by the owner of the Server it was immediately handed over to CoS people. ------------------------------ Date: Wed, 15 Mar 1995 09:40:35 +0000 (GMT) From: jonsg@diss.hyphen.com (Jon Green) Subject: Re: Scientology Blackmail Risk (Vilkaitis, RISKS-16.91) Nonetheless, this does represent a worrying precedent. There are persistent rumours that the entire user base of at least one anonymizing service has been compromised by covert action by a security agency, and that's just the start. As has been pointed out elsewhere, any agency monitoring international communications (NSA in the US and GCHQ in the UK, to name two) should have little trouble matching anon ID with real ID if the message is in plaintext and the server in another country. Matching messages where the first leg is PGP-encoded (and the server decodes before retransmission) would be more difficult, but by no means impossible. The only sensible conclusion is that anon remailers provide anonymity from your peers, not from the law. If you use them illegally, you may well be identified. Them's the breaks. =========================================================================== Security experts are disdainful of the low level of programming talent displayed in the pirate program Credit Master, which generates phony credit card numbers. The program works by mimicking the simple "checksum" algorithm that creates the last four digits of a credit card; the checksum formula was developed merely to prevent data-entry errors and never meant to be high-tech security screening. Four college students were arrested last week in Nassau County, NY, charged with using a program to generate false credit numbers and order thousands of dollars of goods. The students then had the merchandise shipped to addresses staked out by the police -- a mistake almost as bad as using cheap programs. (The New York Times, 19 Mar 1995, p.18) =========================================================================== Is your cellular phone turned on? Then your phone is broadcasting your position every time it sends out its electronic "heartbeat." Some law enforcement agencies now have equipment that lets them home in on any cellular telephone they wish (similar technology was used recently to catch infamous computer criminal Kevin Mitnick). Perhaps that's the reason that the Israeli government recently ordered its soldiers along the boarder to stop using their cellular telephones to order late night pizzas: the telephone's radio signal could be a become a homing beacon for terrorist's missiles. From: John R Henry <76655.2677@compuserve.com> Subject: Triggerfish Cellular Phone Tap There has been some discussion in recent issues of cellular phone monitoring in Pakistan. Nobody has mentioned that this technology is currently available off the shelf in the US from Harris Communications (Melbourne FL, address on request). The Harris "Triggerfish", from a photo in an ad, looks like a laptop computer with an extra box alongside. "Everything you need fits into a a suitcase" in the words of the ad. It will allow collecting and analysis of dialed number statistics, Identifying the telephone number when it is registered under another persons name or an alias, and developing usage patterns. "Wiretap applications..... provide audio minimization, on/off hook logging, multiple tape recorder outputs and necessary intercept documentation. A headphone jack with volume control and alarm speaker allows the monitoring agent to intercept each and every communication." (From Harris brochure) The brochure goes on for several pages but I think you get the idea. This is a wiretap in a suitcase. As it is listening to radio waves, there is no way of anyone, including the gov't, knowing when it is being used. The Triggerfish is sold only to law enforcement agencies and is *supposed* to be used only with a court order permitting a wiretap. The risk is, who is to know if and how it is being used? 76655.2677@compuserve.com (John Henry) =============================================================================== Snippets from the press: Apple and IBM won the court case in which they were sued for alledgedly causing RSI (repetitive strain injury) by bad keyboard design. IBM was happy because there are more than 300 similar cases against it, pending. Apple also lost its cases against Microsoft and Hewlett-Packard. Apple claimed that MS and HP had stolen the 'look and feel' for Windows and New Wave from Apple. Polaroid has announced a new security film for taking ID photos with. It has an invisible security pattern printed with ultraviolet ink. The pattern can be seen under UV light. Also, the picture forms an indestructible bond with the laminating cover - attempts to access the photo under the cover will cause irreversible damage, rendering the card useless. In a rather strange way of doing things, the Software Publishers Association has targeted Singapore for an anti-piracy campaign. Singapore has the lowest piracy rate in Asia. However they have a strong legal system, and the SPA hopes to take advantage of that. Meanwhile, Indonesia has a piracy rate of 99%... China has closed down 6 of its 29 plants making pirate CD's. The USA wants the remaining 23 closed down too... Run Windows for Workgroups with sharing enabled. Install Microsoft's TCP/IP stack, and connect to the Internet. Then go to Connect, under the File menu, and see how many PC's are available to link to. Depending on how the security setups are, there could be hundreds. You can connect to them and access their hard drives at will. Microsoft says that this is an undocumented feature.... Blue Water Systems have released WinRT Real-Time Toolkit for Windows NT. This allows you to access the I/O ports, memory, and interrupts directly. This blows away the whole concept of protection and security... Computer journalist John Dvorak has warned that governments are likely to start cracking down on the online world - BBS's and the InterNet. Compaq has teamed up with Conner, Seagate and Quantum, to produce a hard disk that will be able to alert its users to certain types of potential failure. Hong Kong police raided and shut down 7 InterNet service providers. The suppliers were technically in contravention of telecoms laws. This left thousands of companies and individuals without access. There are hundreds of commercial and private BBS's in Hong Kong, most of which do not have permits either. A Dutch 22 year student has become the first person to be convicted of computer cracking in The Netherlands. He got a 6 month suspended sentence and a fine around R10 000. He broke into various government, corporate, and university computers. The US state of Virginia is about to pass a law making it an offence to plant 'time bombs' in computer software. It just needs the governor's signature to become law. Not everyone in the industry thinks that it is a good idea. I, for one... how will they decide if a given piece of code is just buggy, or a deliberate attempt to do damage? Assuming they can get hold of the source code in the first place... Microsoft's new product, Bob, which is a shell for Windows, (which is a shell for DOS), has an interesting approach to security. If you enter the wrong password 3 times in a row, it gives you the opportunity to change the password to something 'easier to remember'.... A company called NextGen has surprised the world by introducing the first Pentium clone. Smaller, faster, more efficient, and 33% cheaper. They plan on rolling out a chip which is supposed to be P6 compatible later this year. The Office for Serious Economic Offences told parliament that it is unable to investigate computer fraud, which makes up 80% of all serious economic crimes.... As reported previously, Fuji has created a diskette that can hold more than 100MB on a 3.5" diskette. However it is not yet commercially available. Meantime, Sony has released its MiniDisc Data system, which packs 140MB onto a 2.5" diskette, using magneto-optical technology. Sony is working with Hitachi on a new 3.5" diskette which will store 650MB (same as a CD-ROM). Maxell is working on new 'quadri-value' 3.5" diskettes that have the potential to store 1.3 to 2.6 GIGAbytes... image what size hard disks now become possible... =========================================================================== Current versions of popular anti-virus software in SA: McAfee v2.20 (should be out by now. Else 2.17e) F-Prot v2.16d (2.17 might be out) ThunderByte v6.33 AVP v2.1, data files 9503. Oliver Steudler of Dynamic solutions reports many many cases of Exe_Bug and Michelangelo. He lost count of the number of Mitch reports. He was getting around 15-20 calls a day at the beginning of March. Mitch Dove of Gas Software reports as follows: Johannesburg B1, Exe_Bug.A 40 x Floppy disk infection, Michelangelo, V643, Mange-Tout.1099, Exe_Bug.A, Flip.2153.A. 10 x Machine infection Roodepoort Michelangelo Cape Town Exe_Bug.C 70 x Machine infection, Bravo Rustenburg Tremor Midrand Exe_Bug.C Krugersdorp Stone.NoInt.A. Sorry, no scanner tests this month. Oh yes, about that Sound Card Virus... April Fool! :-) =================================================================== fin