COMPUTER SECURITY ***************** Compiled, edited & written by Ian Douglas InterNet iandoug@aztec.co.za July 1995 edition =================================================================== Major news story was undoubtably the sudden, unexplained outbreak of the notorious 'Car.Hooter' virus. The Car.Hooter virus causes spontaneous and erratic sounds to come from car hooters. This virus, which had previously only been detected around midnight on 31 December of any year, sprang up spontaneously all around South Africa soon after 5 pm on Saturday, 24th June. Computer scientists were at a loss to explain this sudden, country-wide outbreak. They did however note that it was also a NEW variant, which caused cries of "Bokke! Bokke!" to be emitted from humanoid output devices. While previous outbreaks of the Car.Hooter virus usually only lasted about an hour, this outbreak continued for over 16 hours in some areas. A rumour circulating in the underground links the outbreak to some obscure competition, in which tens of thousands of people pay obscene amounts of money to watch grown men (who should be old enough to know better), spend 80 minutes fighting over a piece of leather. Curiously, the virus outbreak is also linked to South African Breweries achieving record-breaking sales. =========================================================================== News is a little scarce this month - two of my main sources on the net went silent as the moderators went on vacation. ============================================================================= A gentleman from the underground (bless him) decided that since everyone was now aware of the 'Good Times' 'virus', it was time to create a new wave of panic. So he came up with a nicely faked CERT advisory, about a 'new virus which attacks HTML files'. This is the file format used on the World Wide Web. CERT is an organisation which regularly posts warnings of genuine hazards to safe computing. They are now PGP-signing all their posts. A portion of the fake warning follows: CA-95:07 CERT Advisory May 18, 1995 World Wide Web Virus Attacks ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of attacks in which a potentially very dangerous virus is replicating and causes attacks on WEB sites as well as other targeted systems at an alarming pace. This revolutionary new virus is a multi-platform virus which has already infected UNIX, DOS, OS/2 and MAC based machines. We have named this the WEB virus. In the current attack pattern, the virus is attaching and hiding its presence by infecting the HTML file of a URL using a rare and undocumented feature of the HTML language. Its presence is very well hidden by dynamically modifying the kernel of a Sun 4.1.X system once the HTML has been infected. Note: that although the virus is infecting the kernel on SunOS 4.1.X systems, infections are not unique to the SunOS making this a very powerful and insidious virus. Kernel infections of LINUX, MSDOS 6.2, MAC 7.5 and OS/2 Warp have already been reported. THE WEB VIRUS IS VERY DANGEROUS SECURITY THREAT! IT IS OUR RECOMMENDATION THAT ALL WEB SITES BE TAKEN DOWN IMMEDIATELY TO PREVENT FURTHER SPREADING OF THIS VIRUS AND ALL USER SHOULD CEASE ANY VISITS TO ANY WEB SITES UNTIL WE HAVE RELEASED A FIX FOR THIS VIRUS. IN ADDITION IT IS OUR RECOMMENDATION THAT ALL HTML FILES BE IMMEDIATELY DELETED. As we receive additional information relating to this advisory, we will place it, along with any clarifications, in a CA-95:07.README file. CERT advisories and their associated README files are available by anonymous FTP from info.cert.org. We encourage you to check the README files regularly for updates on advisories that relate to your site. ------------------------------------------------------------------------------ I. Description This description summarizes all that we know at this time regarding the WEB virus. The technique used by the virus to hide itself and to replicate will NOT be described in detail as of yet until we have a solution in place in order to prevent copy-cat writers. A fix is currently being tested. This new virus actually replicates and hides its presence using an undocumented and very rare feature of the HTML programming language therefore allowing it to be the first multi-platform virus. We have discovered strains of the virus on UNIX, LINUX, MSDOS, PCDOS, OS/2 Warp, Windows,Windows NT and MAC operating systems so far. The virus is quite difficult to locate and identify because it is encrypted (a few times) using a random key and because of the unique way it is attaching itself to the host HTML file. We believe that the author maybe from Finland. Some of the text that is NOT encrypted but not always displayed is Keej0 June 30, 1995.,. Burn@monitor.now &*#42.,.? /Track 0 The virus operates in the following manner. 1. As soon as a user opens up an infected HTML on a UNIX based machine, the virus uses a very clever binary expansion technique to query the remote system and determine the type of operating system present on the remote system. 2. Once the operating system type is determined by the virus, it transfers an infected 'system specific' copy of the virus to the remote machine. This system specific copy can only infect other machines with the same operating system using a kernel infection technique. If the remote system is UNIX based, then the whole body of the virus is transferred. If the remote system is a MAC then only the MAC specific body of the virus is transferred and a MAC-only infection is possible from this infected machine. In addition to infecting the kernel, the virus will make changes to the HTML file using an undocumented command to allow further infections. This change to HTML file is virtually invisible to the user and checksumming techniques will not detect any change to these files. 3. The transfer of the virus actually takes place during screen write process and with a closer examination of this process, one can observe a slower than usual screen update. This slow process is a telltale sign that you are infected. 4. The virus now is active and will infect any other machines connected to it and also by any attempt to access a HTML file on that machine. II. Impact Currently, we have identified over 500 separate infections in the past two days. Potential damage to a machine is unknown at this time but very probable due to the complexity of the virus. However from the information we have seen so far, this attack could be extremely crippling to many machines and environments worldwide. We are not sure if the date found in the body of the virus is related to any actions or events that may be triggered by the virus. [rest cut] =========================================================================== Follow-up to last month's article about libel suits in cyberspace: "The first libel action of its kind in Britain, in which I sued Phillip Hallam- Baker in the British High Court of Justice in London, England (Queen's Bench Division 1993 G 2819), has been settled by the payment of a sum of money into court by Hallam-Baker. "I brought the action against Hallam-Baker over Usenet articles in which a number of false allegations were made about me, most of which concerned my employment history in High Energy Physics research. Hallam-Baker did not plead justification in his defence (ie. he did not attempt to claim that the false and defamatory statements were true). "I did not bring this action to make money, contrary to suggestions made elsewhere, but in order to vindicate my reputation. Accordingly, as the payment into court vindicates me and represents a victory for me, I have accepted it. In addition to his payment in, Hallam-Baker will be required to pay my "taxed" legal costs (taxing = process by which the court checks the solicitor's fees against the allowed scale of charges) and he has of course to pay his own legal costs. As the action was well advanced by the time Hallam-Baker made his payment into court, costs are likely to be very substantial." Laurence Godfrey =========================================================================== ********************** Important Notice************** Some joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your harddrive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack. Thank You. Patrick Weeks Product Support PKWARE, Inc. ****************************************************** =========================================================================== Date: Sun, 18 Jun 95 20:51:25 BST From: peter@aldie.co.uk (Peter Ilieve) Subject: Bank computer develops costly crush on Fiona That was the headline on a piece in *The Times* (London) on 15 June 1995 about a Barclays Bank computer system that deals with loans and mortgages to bank staff. It was running a new accounting system, and it refused to generate monthly repayments for more than 100 staff named Fiona. Nobody else was affected, including a Ffyona. Numerous Fionas were sufficiently honest to contact the bank and ask why their repayments hadn't been deducted. It isn't clear how long the lucky Fionas would have had their repayment holidays if some of them hadn't owned up. The bank is adamant no hacking was involved. A spokeswoman blamed `a blip' and added, `Our systems people say that they knew how to solve the problem even if they could not explain what precisely had caused it.' =========================================================================== Date: Fri, 16 Jun 95 08:30:38 EDT From: mstalzer@etsd.ml.com (Mark Stalzer) Subject: Re: The New York subway crash (PGN, RISKS-17.17) As reported in the June 16 New York Times, further investigation of the 5 Jun 1995 NY subway crash (which killed the motorman and injured 54 people) indicates the distance between signals is shorter than the stopping distance of a modern train. Speculation right after the accident had focused on a possible emergency brake failure. However, even with the brake engaged, tests showed it takes approximately 360ft for the train to stop. Unfortunately, the rear of the forward train was only 288ft from the signal. It now appears that the motorman ran the red signal, which tripped the emergency brake and slowed the train from about 32mph (the maximum speed after climbing the hill leading to the crash area) to 14-18mph at the time of impact. The signal spacing was set in 1918 when trains were shorter, lighter, and slower than modern trains. The Transit Authority has been upgrading the trains without upgrading the control system. A familiar RISK. The immediate response has been to limit speeds on the section of track where the accident occurred. When a TA official was asked if speeds will be reduced in other areas, the official said "we don't know where the potential trouble spots are." I guess we're just going to wait for more accidents to find the areas that need fixing. Another familiar RISK. =========================================================================== Date: Mon, 12 Jun 95 12:10:30 -0400 From: Chuck Weinstock Subject: Re: 59-Story Crisis: The Risks of Unions One of the risks that continues to haunt me from that article (and apparently others as well since my mother mentioned it to me when we discussed the article) is this: (The people in charge of repairs to the building had installed strain gauges connected by wire to readouts in the main office.) One time, the readings went off the chart, then stopped. This provoked more bafflement than fear, since it seemed unlikely that a hurricane raging on Lexington and Fifty-third Street would go otherwise unnoticed at Forty-sixth and Park. The cause proved to be straightforward enough: When the instrumentation experts from California installed their strain gauges, they had neglected to hire union electricians. `Someone heard about it,' LeMessurier [the building designer] says, `went up there in the middle of the night, and snipped all the wires.' =========================================================================== Date: Thu, 15 Jun 95 20:01:01 EDT From: ark@research.att.com Subject: Internet gambling I remember once reading a paper with a synopsis something like this: This paper is in two parts. In Part 1, we prove that it is impossible to play a fair game of telephone poker. In Part 2, we give an algorithm for playing a fair game of telephone poker. The apparent paradox, of course, was that the algorithm in Part 2 was actually unfair with a probability that could be made as small as desired by making the crypto keys long enough. =========================================================================== There were allegations that Windows 95 includes a small 'agent' that scours your hard drive and builds up a reports of your hardware and software. If you happpen to log onto the coming Microsoft Network, this information will then be transmitted to Microsoft. Microsoft denied the allegations. Windows 95 is still scheduled to ship on 24th August, complete with several thousand bugs. At least a few thousand are of the "can't fix, won't fix" variety. Scorecard for Windows 95 development team: Product to date target ======= ======= ====== cups of coffee 2 283 600 1 096 850 trips to restaurant 102 360 98 340 doughnuts 13 800 14 900 pounds of popcorn 4 850 5 100 meals 503 552 babies born 63 95 Meanwhile, a consumer lobby group has taken Microsoft to court for fraud: they claim that Windows 95 will not run on 386's with only 4MB RAM, as Microsoft advertises it will. They want sales of Windows 95 banned unless Microsoft labels the system requirements accurately. =========================================================================== There was another spam on the internet: ************************************************************ * a FAQ regarding the * * LONELY LILY SPAM * * June 2nd, 1995, version 2.0 * * from the pobox.com system administrator * ************************************************************ This document was prepared as a form response to the many letters received as a result of the "Lonely Lily" spam. It was posted all over Usenet around 17:53 Hong Kong Time (0953 GMT, I think) on May 31st, 1995. The latest news indicates that it has been gatewayed to mailing lists as well. This is a tad worse, now, because the header information that pins the blame on hk.super.net and asiaonline.net is now gone, so it looks like pobox.com is the sole originator. The spam: | | My friend Lily lives in Hong Kong, like me. She loves | to receive phone calls from foreign men. She does | not have computer, so I am sending this message for her. | | If you want to call her and you are in the United States | the number is [number deleted]. Callers | from other countries need to put the international | code then [number deleted]. | | No e-mail please. | | Sylvia Wong | The number given is a pay-for-call sex line in Hong Kong. There should be a copy of the complete FAQ included in this copy of RobList. =========================================================================== Snippets from the press: A new threat appears in Cyberspace: kidnapping and abduction. Recently two teenagers in the USA ran away from home after striking up friendships with strangers on the internet. The dictum taught to children of "Don't talk to strangers" is ignored on the internet, where talking to strangers often IS the whole idea. Another problem on the net is that you cannot see or hear who you are talking to, and people sometimes fake their names, ages, and sex. That friendly '16 year old girl' you are chatting up could be a 45 year old man... One 16 year old boy wandered into a gay/lesbian chat area, and ended up running away to join a man he met there. He was dumped after a few weeks. A 13 year old girl ran away to be with another man she met on the net. He had promised her that in California, "we can run around our room naked all day and all night." The USA legislature are trying to police the internet, by outlawing 'smut', 'pornography', etc. However there is disagreement between the Senate and the House of Representatives on the issue. The upcoming presidential election next year is part of the problem. A new product, SurfWatch, runs alongside WWW browsers,news readers and FTP clients, and can be set to filter out obscene material from the internet. Information available at http://www.surfwatch.com/ Scientists fighting the Ebola virus outbreak in Zaire are using the internet to transmit data to researchers in SA and the USA. A judge in New York has ruled that online service provider Prodigy is liable for the content of its subscribers messages, because Prodigy acts as a publisher and not just a carrier. This has horrendous implications: it will require Prodigy to censor each and every message posted, private or not. What an awful waste of manpower, and invasion of privacy. Prodigy is appealing the decision. Singapore still continues to censor and police the internet. The Singapore Broadcasting Authority has to make sure the country's theft and libel laws are obey on the internet. Police in Tainjin, China, searched the dormitories of 21 tertiary institutions, and found students from 15 of these had used pornographic software. Authorities are worried about it 'contaminating' the minds of the youth. The Black Baron, author of Pathogen and Queeg, pleaded guilty to 11 charges related to virus writing in Plymouth, England. The 26 year old unemployed programmer was granted bail. IBM, Toshiba, and Siemens, have announced the world's smallest and fastest DRAM (dynamic RAM) chip. It holds 256Mbits - which is 32 MBytes, is only 286mm square and has an access time of 26ns. It took 200 researchers to achieve this... A recent survey of computer professionals in the USA revealed that 53% admitted to making copies of commercial software, as on a 'try before you buy' basis. Sun has produced an internet server security package, called SunScreen Iron Curtain. They invited three top experts to try and crack through it. The three are FBI hacker catcher Tsutomu Shimomura, code cracker Whitfield Diffie, and Dan Farmer (one of the authors of SATAN). In a 62% poll, 97% of government IT employees voted to strike for better salaries and conditions. The potential for chaos in SA is immense... The Intellectual Property Licensing Agency wants to protect copyright in Cyberspace. That means they want you to pay for lots of things. They envisage granting 'blanket licenses' to internet access providers, who will then recover the costs from you. Further details at http://www/ipla.com/jweb/index.html Interested in Wimbledon? Try http://www.wimbledon.org Interested in the ANC? Try http://www.anc.org.za The Playboy site on the WWW gets 600 000 hits a DAY, from at least 25 000 individual users. The first internet casino has opened, you need to open an account with them for at least US$50. The casino is on a machine on an Atlantic island. A Fuji subsidiary is developing Apple's FireWire technology, which makes the handling of multimedia 500 times faster. Nothing-to-do-with-security-but-interesting-anyway: USA cigarette manufacturer Philip Morris recalled 8 billion cigarettes after discovering a pesticide and respiratory irritant in some filters. Chrysler recalled 180 000 Jeep and Eagle vehicles with emission problems. Coca-cola and Nestl‚ are test marketing cold, flavoured, bottled coffee. At least two other companies are busy with similar products. Kodak has announced a new hypercompression scheme that allows it to store a black and white security passport sized photograph in just 400 bits, which is 50 bytes. This is small enough to fit into the magnetic strip on standard autoteller and credit cards. They refuse to reveal the technique, but say it does not use fractal technology. The inventor of the first digital computer (ENIAC), J. Presper Eckert, died recently aged 76. The ENIAC was built in 1946. China claims to have started crackdowns on software pirates. The war about formats for video-on-CD goes on. At the moment there are two main rival formats: Sony/Philips MultiMedia Compact Disc (MMCD) and Toshiba/others Super Density (SD). However a bunch of data storage experts from leading computer companies rejected both formats, and told the companies to come back with ONE format. There is considerable money involved in having the patent rights to the format. Sony and Philips still get a few cents on every music CD sold. The computer companies have nine main objectives for the new standard. Briefy, these are: 1. Single interchange standard for both PC and TV applications 2. Backwards read-compatible with existing CD's 3. Forward compatible with future read/write devices 4. Single file system, regardless of application used 5. Low cost (comparable to current CDROM drives) 6. No caddy required 7. Reliable read and write 8. High capacity (expect up to 15 times current maximum) 9. High performance (access times and data transfer rates) =========================================================================== Computer Week newspaper published a long article on viruses. While most of it was accurate, it contained some misinformation, to whit: The author says that if a virus does not do malicious damage, then it is basically harmless. I disagree (and so does Vesselin Bontchev), and have written a paper on the subject. ALL viruses are harmful in one way or the other. He also says that a virus is a self replicating program (OK..) which can cause damage to data. Sometimes true. They also damage executables. He also misunderstands stealth technology, claiming that for example, a virus like ExeBug swops the real main boot sector back to where it should be, if the user attempted to look at it. Actually what it does is merely redirect the read attempt to where it has stored the original boot sector. He claims a file virus adds it code to the end of a file. Actually, only sometimes. It can add its code to the beginning, or insert it somewhere in the middle, usually overwriting an area of hex nils. The Michelangelo virus is so named because a journalist noticed that the trigger date, 6 March, was Michelangelo's birthday. There is no indication that the virus author knew this, the date probably has a completely different relevance for him. The author then repeats the software-damaging-hardware myths, including the set-VGA-card-to-frequencies-it-can't-handle. If this WAS possible, every new virus written would include the code to do it. He also has a totally new myth: toggle a bit in memory or CMOS repeatedly on or off, and burn it out. The author is displaying his ignorance, I fear... AFAIK, Paul Ducklin is no longer with the CSIR, but now works for Sophos in England. The author says that scanning your hard disk on a daily basis is the only effective way of dealing with viruses. Nonsense. Firstly, scanners will not detect a totally new virus, and may even help it spread if it is a fast infector. Secondly, if your machine is clean, and you don't install any new software, or foreign disks, scanning it every day is a waste of time. A better approach is to use an integrity checker. This will pick up all virus activity, even if it is an unknown virus. The author presents a 'hit parade' of most frequent virus infections in SA, as follows: Exebug, Bravo, Mummy 2.1, Dir II, Stoned. My experience with these articles every month suggests a different list: Exebug, Michelangelo, Stoned, and then maybe Jerusalem. Bravo is reasonably common, Die.Hard.2 is becoming more common. Lastly, he claims that Stoned is a disk-trashing virus. Not so. The standard versions do nothing except replicate. =========================================================================== Current versions of popular anti-virus software in SA: McAfee: v2.22 F-Prot: v2.18a TBAV: v6.35 Oliver Steudler of Dynamic Solutions reports Die.Hard.2, ExeBug.Hooker, Civil.Service, Bravo. An independant survey in the USA revealed that 80% of USA Fortune 100 use McAfee antivirus software. Also, 25% of the Fortune 100 companies have enterprise site licences. McAfee has 67% of the market share for dos/windows/os2 antivirus products in the USA. Mitch Dove of Gas Software in Johannesburg reports as follows: Johannesburg: Barrotes.1310.A, Bravo, Michelangelo, Russian_Flag, Exebug (A, C, Hooker), Jerusalem.Mummy, Mte, AntiCmos, Monkey.2, Natas.4744, Form, and new variants for ExeBug and Jerusalem. Roodepoort: Big Caibua, Vienna.2279 Pretoria: NOPS Western Cape: AntiExe Cape Town: Kampana Durban: Michelangelo Zimbabwe: Mongolian Malawi: Quox He writes: "The majority of the above infection are identified when the client first loads our product or when scanning floppies. In the case of multiple infections, they are not using our product at all. The case of the 400 infections of BIG CAIBUA falls into this area, they were using some other AV product at the time, which they had just purchased, by the way. We were approached and we successfully clean up their infection with F-PROT 2.18, Naturally we sold them a Cross Grade option." Many clients using anti-virus software do not report infections, so the scope of the problem is much larger than these reports indicate. Sorry, again no scanner tests this month...