home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 2
/
HACKER2.BIN
/
720.VIRUSL6.091
< prev
next >
Wrap
Text File
|
1993-06-03
|
54KB
|
1,158 lines
VIRUS-L Digest Friday, 4 Jun 1993 Volume 6 : Issue 91
Today's Topics:
Re: Digital Enterprises $5,000 challenge! $$$ $$$
Re: Digital Enterprises $5,000 challenge! $$$ $$$
Re: Digital Enterprises $5,000 challenge! $$$ $$$
Re: Digital Enterprises $5,000 challenge! $$$ $$$
Use of cryptanalysis in virus-hunting.
Virus as extortion
Re: The Anti-Viral Software of MS-DOS 6.0 (PC)
Re: Viruses that cost $$$ (PC)
Re: CPAV updates? (PC)
Re: Is "Untouchable" (V-ANALYST) Effective? (PC)
Handle Redirection (MSDOS) (PC)
Re: CPAV updates? (PC)
Re: CPAV updates? (PC)
Re: Is "Untouchable" (V-ANALYST) Effective (PC)
Re: Redirection Difficulty (PC)
Re: On the merits of VSUM (PC)
Re: Corrections (CPAV) (PC)
Re: Misidentification by F-Prot 2.08a (PC)
Re: The Anti-Viral Software of MS-DOS 6 (PC)
Re: Misidentification by F-Prot 2.08a (PC)
Virus?? filename 'n' and content 'U---ntion' (PC)
New anti-virus package available via ftp (PC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform - diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on cert.org or upon request.) Please sign submissions
with your real name; anonymous postings will not be accepted.
Information on accessing anti-virus, documentation, and back-issue
archives is distributed periodically on the list. A FAQ (Frequently
Asked Questions) document and all of the back-issues are available by
anonymous FTP on CERT.org (192.88.209.5).
Administrative mail (e.g., comments, suggestions, beer recipes)
should be sent to me at: krvw@AGARNE.IMS.DISA.MIL.
All submissions should be sent to: VIRUS-L@Lehigh.edu.
Ken van Wyk
----------------------------------------------------------------------
Date: Thu, 03 Jun 93 11:27:00 -0400
>From: duck@nuustak.csir.co.za
Subject: Re: Digital Enterprises $5,000 challenge! $$$ $$$
Thus spake miser@stein2.u.washington.edu (Robert Fulwell):
> The Gaithersburg, Md-based company says virus experts
> have tried unsuccessfully for more than 2 years to defeat
> its V-Card Anti-Virus System. It's inviting hackers to come
> to its headquarters through mid-July to try their hand at
> loading a true virus (Trojan horses and bombs don't count)
> onto the system. The computer must be rendered non-bootable
> and files must be non-recoverable while V-Card is operating.
> The company will reward the triumphant hacker with $5000.
This is ludicrous. Firstly, they're inciting others to write viruses
(a crime in some countries); secondly, rendering a computer
non-bootable is easy (a large hammer, a medium-sized brick, or a few
decades, will probably do the job); thirdly, they're asking for a
"true virus" whilst judging its "success" by its Trojan effects.
I thought people had stopped this sort of incitement.
Paul
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ Paul Ducklin duck@nuustak.csir.co.za /
/ CSIR Computer Virus Lab + Box 395 + Pretoria + 0001 S Africa \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
------------------------------
Date: Thu, 03 Jun 93 11:46:28 -0400
>From: hubt@css.itd.umich.edu (-- Hubert Chen --)
Subject: Re: Digital Enterprises $5,000 challenge! $$$ $$$
miser@stein2.u.washington.edu (Robert Fulwell) writes:
>
> DIGITAL ENTERPRISES IS CHALLENGING COMPUTER HACKERS to
> defeat its anti-virus technology.
> The Gaithersburg, Md-based company says virus experts
> have tried unsuccessfully for more than 2 years to defeat
> its V-Card Anti-Virus System. It's inviting hackers to come
> to its headquarters through mid-July to try their hand at
> loading a true virus (Trojan horses and bombs don't count)
> onto the system. The computer must be rendered non-bootable
> and files must be non-recoverable while V-Card is operating.
> The company will reward the triumphant hacker with $5000.
They didn't specify what kind of machine this was did they? I assume it
must be a DOS machine, but maybe not..
ObHack: Attempting to port netatalk to the NeXT.
- --
\\\\ hubt@umich.edu -- Hubert Chen -- pgp key on request or via finger ////
Deep Thoughts by Jack Handey:
If you saw two guys named Hambone and Flippy, which one would you
think liked dolphins the most? I'd say Flippy, wouldn't you? You'd be
------------------------------
Date: Thu, 03 Jun 93 11:59:26 -0400
>From: vwelch@ncsa.uiuc.edu (Von Welch)
Subject: Re: Digital Enterprises $5,000 challenge! $$$ $$$
miser@stein2.u.washington.edu (Robert Fulwell) writes:
|> Here's an interesting offer a few people out there probably wouldn't mind
|> cashing in:
|>
|> <Taken straight from Prodigy (DON'T ask me what I was doing there :-)>
|>
|> PRODIGY(R) interactive personal service 06/03/93 1:29 AM
|>
|> DIGITAL ENTERPRISES IS CHALLENGING COMPUTER HACKERS to
|> defeat its anti-virus technology.
|> The Gaithersburg, Md-based company says virus experts
|> have tried unsuccessfully for more than 2 years to defeat
|> its V-Card Anti-Virus System. It's inviting hackers to come
|> to its headquarters through mid-July to try their hand at
|> loading a true virus (Trojan horses and bombs don't count)
|> onto the system. The computer must be rendered non-bootable
|> and files must be non-recoverable while V-Card is operating.
|> The company will reward the triumphant hacker with $5000.
The question that pops into my mind, is if their product is that good at
impeding viruses, how many legitimate applications will it prohibit?
Von
- --
Von Welch (vwelch@ncsa.uiuc.edu) NCSA Networking Development Group
"It is better to not post and appear stupid than to post and prove it."
- I speak only for myself and those who think exactly like me -
------------------------------
Date: Thu, 03 Jun 93 18:52:08 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Digital Enterprises $5,000 challenge! $$$ $$$
Robert Fulwell (miser@stein2.u.washington.edu) writes:
> Here's an interesting offer a few people out there probably wouldn't mind
> cashing in:
Yeah, yet another marketting trick... The challenge seems rather bogus
to me; see below.
> The Gaithersburg, Md-based company says virus experts
> have tried unsuccessfully for more than 2 years to defeat
> its V-Card Anti-Virus System.
Huh? Any virus experts out there who have spent the last 2 years of
their life trying (unsuccessfully, of course) to break that famous
V-Card? At least I have not even heard about it. My guess is that it
is either breakable (at least in some streched conditions) or makes
the computer it is installed on unusable.
> It's inviting hackers to come
> to its headquarters through mid-July to try their hand at
> loading a true virus (Trojan horses and bombs don't count)
> onto the system. The computer must be rendered non-bootable
> and files must be non-recoverable while V-Card is operating.
Funny, the card seems to protect from the damages; it doesn't seem to
try to prevent the viruses from spreading - only from damaging files.
Then, why are Trojan horses excluded? If it is possible to write a
Trojan horse that would be able to bypass the protection provided by
the card, it should be more than trivial to attach it to a simple
virus, e.g. a Burger or a Vienna variant.
> The company will reward the triumphant hacker with $5000.
I am not able to go there and try it, but here are some hints to those
who decide to take the challenge:
1) The conditions say that "files must be non-recoverable". They don't
specify that the files must be those on the hard disk. In the same
time, many hardware anti-virus cards don't offer any protection of the
information on the floppies. Hint - use a virus that spreads only on
floppies and causes damage only on the files that reside there.
2) In order to make the computer non-bootable, one must damage one of
the following: the CMOS, the MBR, the DBS, any of the two hidded DOS
files, the command interpretter, any of the device drivers or
INSTALLed programs from CONFIG.SYS, and of the programs started by
AUTOEXEC.BAT. Chances are that the card protects the MBR and the DBS.
If it is clever enough, it should also protect any executable file,
but this is less likely. Even less likely is that it protects the
CONFIG.SYS and AUTOEXEC.BAT files themselves - these files are often
modified. The less likely thing to protect is the CMOS. Therefore, one
could try to change the CMOS settings to indicate that there is no
hard disk, or to change CONFIG.SYS or AUTOEXEC.BAT and make them
execute a program that just loops infinitely and so on. It is possible
that the card is made to protect all the above areas, but then it
should make the computer pretty unusable...
3) It is possible to change the logical contents of a file by just
manipulating the FAT and/or the directory entries. However, a
protection card cannot just deny access to those areas, because DOS
itself is modifying them. Therefore, the card is either storing the
"protected" files on some write-protected area (and keeps a list of
the sectors write to which is forbidden), or attempts to determine
whether the request to modify the FAT and/or the directory entry comes
from DOS or not. Unfortunately, there is NO WAY this can be determined
safely enough. A virus could patch part of the DOS kernel and call it;
it could use device driver requests (like the Dir_II virus), and so
on.
4) There is a remote possibility that the card requires some kind of
TSR program to be present - for instance to display messages, to
request the Yes/No response from the user, and so on. In some cases,
it is possible patch this program and make it always tell the card
"everything's fine, just go on".
Unfortunately, selecting the right kind of attack depends on how
exactly the card operates. Even a secure strategy might be compromised
by a sloppy implementation. It is very possible that -none- of the
currently existing viruses will be able to bypass the card. In the
same time, however, it might be quite trivial to bypass it by using
just a combination of the known techniques.
However, since the rules do not allow the usage of Trojan horses, the
only way to demonstrate that it is possible to defeat the card will be
to write a new virus. Therefore, the challenge is an incitement to
create new viruses - something that I find particularly disgusting.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 14:59:21 -0400
>From: jjsterre@acs.ucalgary.ca
Subject: Use of cryptanalysis in virus-hunting.
While reading this list, I was struck by the comment that Tremor
had several million (or billion) permutations in its encryption scheme.
I do not know too much about programming; but I know a bit about
cryptanalysis by virtue of working at times in Signals history. In
general, simple permutations (such as a polyalphabetic cipher with a
random or self-modifying key - like the Enigma or Purple machines) are
not difficult obstacles for computers. Because all plaintext (in this
case the virus code) has underlying patterns, the ciphertext has patterns,
through which the original can be found.
I wondered if cryptanalytic techniques were/would be useful in
hunting the encrypted viruses. I'm told that most viruses use a time-based
key (therefore predicatble once you have any piece?) which is added in
various ways to the virus code. This sounds to me like the situation
I described in the above paragraph.
Thanks for your time.
James Sterrett
jjsterre@acs.ucalgary.edu
------------------------------
Date: Fri, 04 Jun 93 05:26:18 -0400
>From: wouter@stack.urc.tue.nl (Wouter Slegers)
Subject: Virus as extortion
This may not be common for this group, but as this is about virusses...
A friend of mine who programs a up/download-protocol got a threath (sp?)
from Russia: Either he sold the program to them for $5 (normally $15) or
they would release a virus with his name in it (maybe even with the
protocol, I don't know for sure). He didn't comply and changed the
coding/protection of his program radically to make it more difficult to
hack/infect it.
How do you feel about this? Can you give us advise as to how to handle this?
Do you have tips to prevent deliberate infections and hacks? (Although this
program is already quite protected with encryption e.g. ideas are always
welcome).
Regards,
Wouter
BTW: this is all on the PC-platform.
- --
Wouter Slegers, 1st year CS at TUE (nl), wouter@stack.urc.tue.nl.
Disclaimer: If the above sounds plausible, reread it several times!
Religion and sex are powerplays*manipulate the people for the money they pay
Selling skin, selling god* the numbers are the same on their creditcards!
------------------------------
Date: Thu, 03 Jun 93 11:27:25 -0400
>From: "Paul R. Coen" <PCOEN@DRUNIVAC.DREW.EDU>
Subject: Re: The Anti-Viral Software of MS-DOS 6.0 (PC)
> What is clear is that in this case F-PROT is complaining about what
>*MSAV* has left in memory, not about VSAFE. It is also clear that
>F-PROT is giving a false positive. The only question is: Which scan-
>ner is at fault: MSAV or F-PROT? If instead of running F-PROT (after
>MSAV) I run SCAN, FINDVIRU, or UTSCAN, no message is output. Since
>the other three scanners disagree with F-PROT, the most likely answer
>is that it is F-PROT which is at fault in this case.
That's a really unique way of looking at it. What is probably happening
is that F-PROT and MSAV happen to use the same string, or F-PROT uses
a sub-string of what MSAV is using. MSAV is leaving unencrypted strings
in memory (like CPAV and Carmel Turbo A-V before it), and f-prot is
going off. I've seen versions of other scanners give false positives with CPAV
or Turbo A-V. What it comes down to is that because they leave strings in
memory, the whole MSAV/CPAV/TAV line is ruining perfectly good search strings;
at best, this is inconsiderate, at worst, it demonstrates a "screw you"
attitude which is unwelcome.
So basically, you're blaming F-Prot for not getting out of the way of
a crummy, problem-causing product. Sorry, but that's blaming the victim.
F-Prot will probably get fixed, simply because people are going to make
the same conclusion as you, only based on even less -- they'll just say
"Gee, Microsoft is distributing this, so it can't stink. Must be this
other program's fault."
- --
Paul Coen, Drew University Academic Computing
pcoen@drunivac.drew.edu pcoen@drunivac.bitnet
------------------------------
Date: Thu, 03 Jun 93 11:59:59 -0400
>From: Fabio Esquivel <FESQUIVE@ucrvm2.bitnet>
Subject: Re: Viruses that cost $$$ (PC)
It's been several days ago since I sent my BURNER.COM program to
Vesselin Bontchev, and still haven't heard any answer (positive or
negative) about the results.
Vesselin: Did Burner work? Still testing? No interest?
I just have curiousity in knowing if you are convinced that it is
perfectly possible to destroy hardware by software...
********* FOR Baudilio Gomez Qenk (Supervisor of Holguin.CU) ***********
Baudilio, I've got your messages and I've sent six e-mails answering you,
but all of them get back to my account with a subject of "undeliverable".
I'll keep trying anyway.
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Data SEGMENT PARA PUBLIC
name DB 'Fabio Esquivel Chacon' ; That's me... 8^)
job DB 'Computer Science student' ; But I'll graduate soon
site DB 'University of Costa Rica' ;
bitnet DB 'fesquive@ucrvm2.bitnet' ; Office hours, please.
internet DB 'fesquive@ucrvm2.ucr.cr' ;
Data ENDS
------------------------------
Date: Thu, 03 Jun 93 13:15:29 -0400
>From: Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: CPAV updates? (PC)
Alan Boon writes concerning CPAV:
> With Bootsafe and Vsafe running, your system is well protected provided you
> update the signature files. It offers a comprehensive protection system
> that no other can match. Anyway, it wasn't the user interface that
> attracted me but the protection level it offered.
The protection level attracted you?? I notice that you wrote this on
27 May. There's an evaluation of MSAV/VSafe which appeared in
VIRUS-L/comp.virus two days earlier (modesty prevents me from saying
who the author is). Almost everything written there holds for CPAV as
well. (Okay, since BootSafe comes with CPAV but not with MSAV, it has
only 9.5 security holes instead of 10.) Please read that evaluation
and then let us know if you're still inclined to praise CPAV's level
of protection.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI@HUJIVMS.BITNET
RADAI@VMS.HUJI.AC.IL
------------------------------
Date: Thu, 03 Jun 93 13:43:15 -0400
>From: Y. Radai <RADAI@vms.huji.ac.il>
Subject: Re: Is "Untouchable" (V-ANALYST) Effective? (PC)
Gabriel Schwartz writes:
> Yes you might be right about the integrity checker of V-Analyst but most of
> the users want to see scan results much more then integrity check.
Yes, that may be what they *want* to see ... but that doesn't make it
the best way of evaluating a product.
> Altough integrity check is a very important path of an anti-virus package it
> can't stand alone as the leading part.I'm lookin in the latest VSUM reports
> and V-Analyst doesn't look very good there,
I agree that UTScan (that's obviously what you mean when you say
"V-Analyst") is not the best scanner, although it has improved
greatly in the past year or so. However, when you mention the VSUM
reports ("certifications"), you should realize that they're biased in
two ways: (1) The VSUM test suite seems to be (by sheer coincidence,
of course) very similar to McAfee's collection. (2) VSUM uses the
latest versions of some scanners but rather old versions of others.
In particular, the April comparison used Ver. 25 of UTScan, even
though Ver. 28 was already out! It may not be easy to avoid bias (1),
but there's not much excuse for comparisons which are unfair in the
sense of (2). The best we can do is to look at as many comparisons
as possible which are based on the *latest* versions of *every*
product.
Y. Radai
Hebrew Univ. of Jerusalem, Israel
RADAI@HUJIVMS.BITNET
RADAI@VMS.HUJI.AC.IL
------------------------------
Date: Thu, 03 Jun 93 14:55:43 -0400
>From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson)
Subject: Handle Redirection (MSDOS) (PC)
Subject: Redirection Difficulty (PC)
>From: Donald G Peters <Peters@DOCKMASTER.NCSC.MIL>
>I'm trying to investigate how programs trap I/O and redirect it. The
>specific problem that I have is how does a program tell DOS to change
>its interpretation of standard input or output (or the other three
>standard handles for that matter). None of my books an DOS function
>(documented or undocumented) describe how to do this.
Not sure just how virus related this is but since Ken posted the question,
here goes:
For this I am gong to confine the discussion to screen display though
most of the points have analogues for the keyboard as well.
There are three different means of writing to the screen though all wind up
at the same place. The first entry point is at the DOS level such as
via Int 21h Fn 9h (Output string). MSDOS massages this reguest and converts
the request to be compatable with Int 10h, BIOS screen control (second
entry point). Int 10h then massages the request into a direct write to the
screen buffer (third entry point).
Standard Input (handle 0), standard output (handle 1), and standard error
(handle 2) only have meaning from the DOS level (Int 21h) and will not
intercept either Int 10h access or direct buffer writes.
To intercept a handle, the normal method (though tricky) is to close
the original handle and reopen it with direction to a different device.
This has the problem of eliminating the screen display completely. Since
screen display from DOS is lost, the only fallback on error is to reboot.
A second method would be to intercept the Int 10h calls, write the
character to a file and then pass the original call on to the BIOS. This
would generate both a screen display and a hard copy (essentially what
control_P does).
The third method is untrappable since there is nothing to trap, data is
written directly to the screen buffers. The only thing that could be done
would be to periodically trap an image of the buffer data to a file.
As can be seen, the problem with handles is that redirection here has no
effect on programs using low level functions. For this reason, handle
redirection can be done, I doubt that it will do what you want.
Warmly,
Padgett
------------------------------
Date: Thu, 03 Jun 93 19:23:05 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: CPAV updates? (PC)
A.M. Zanker (A.M.Zanker@newcastle.ac.uk) writes:
> Ha Ha! Yes, it has a nice user interface. It also detects the 50 or so
> virii that are ever really seen outside virus testing labs etc. (according
> to Alan Solomon).
I misses e.g., Tremor that recently was recently distributed to
potentially 60,000 users all over Europe. Does it matter that it
detects all those "50 or so" viruses, if it misses that single one
that will attack your computer? Does it matter whether it detects even
all viruses known to be "in the wild", if tomorrow a disgruntled
employee of your company or just a malicious person can download an
"extinct" virus from his favourite virus exchange BBS and use it to
attack your system?
> It always seems to have a fairly low rating in P. Hoffman's
I usually tend to disagree with Mrs. Hoffman's results, but this time
they agree surprisingly well with my own. MSAV that comes with MS-DOS
6.0 has a hit rate of approximately 62% when run my our virus
collection. According to Mrs. Hoffman, it is 53% when run on -her-
virus collection. The two numbers are pretty close to each other
(regardless of the fact that they have been obtained on different
virus collections) and both of them mean that the scanner is -bad-.
> certification tests, but then she seems to use the standard 1.4 version withou
> any of the updates.
Good point, you are right on this one. OK, I got the latest updates of
CPAV 1.4, MSAV, and even CPAV 2.0-beta from Central Point Software.
I'll test each one of them and will report the results later.
> Both DOS and Windows versions can also detect changes to "system" files
> (.exe, .com, .dll, .ov?, etc.) which seems to cover just about everything
> one is likely to meet in everyday home use.
Funny, I don't know about any virus that can infect .DLL files...
Strange, I don't see the .SYS, .BIN, .DRV, and .BAT files listed,
although I do know several viruses that can infect such files.
But this is irrelevant. What is important is that your claim that the
program is able to detect changes to any of those files is just plain
wrong and misleading. The integrity checking system checks only the
size/date/time/attributes and the first 64 bytes of those files. It is
trivial to write a virus that does not change -any- of the above.
Furthermore, it is possible to attack the integrity checker in about a
dozen of other ways (described in my paper) and in most cases the
attack will succeed.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 19:06:48 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: CPAV updates? (PC)
Alan Boon (ee1ckb@sunlab1.bath.ac.uk) writes:
> With Bootsafe and Vsafe running, your system is well protected provided you
> update the signature files.
Is it? Could you enlighten us -why- the system is well protected?
Bootsafe is nothing more than a generic boot sector recovering program
that can be easily defeated by a virus which is stealth enough (e.g.,
Strange). VSafe is a combination of a resident scanner/integrity
checker and a monitor. As it has been mentioned here several times, it
is possible to disable or even to remove it completely from memory
with just 3 instructions! Besides, the monitoring part of it is
trivially bypassed by the modern tunnelling technology and the whole
concept of the integrity system is implemented in such a sloppy way
that it can be easily bypassed too. Add to that the fact that the
off-line scanner is nothing exceptional. So, where is the "good
protection" claimed by you? Maybe there is a special way to use the
program that I don't know about - a way to really turn the protection
on. If this is the case, please share this way with us.
> It offers a comprehensive protection system
> that no other can match.
Could you please provide some evidence to support the above claim?
Meanwhile, I'll provide some evidence to the countrary:
1) Do you mean by "comprehensive" that the package combines scanning
with monitoring and integrity checking? Then the claim that "no one
can match" it is false - there are several other packages which
provide the same combination.
2) The scanner has a detection rate of approximately 60%, compared to
99% of Dr. Solomon's Anti-Virus ToolKit. Indeed, no one can match that
- - in bad quality, that is.
3) The scanner is significantly slower than most of the existing ones.
4) The resident part can be disabled/removed/bypassed in a trivial
way.
5) The integrity checking part is extremely insecure and can be
attacked successfully with almost any of the attacks described in my
paper. Compared with e.g. Untouchable, the protection offered by the
integrity checking capabilities of CPAV is just laughable.
6) On the top of that, the checksums are kept in separate files in
each directory that contains executable files. This tends to waste
your disk space.
> Anyway, it wasn't the user interface that
> attracted me but the protection level it offered.
What level of protection? How did you test/evaluate it? Could you
please describe your test procedures?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 19:31:56 +0000
>From: bontchev@news.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Is "Untouchable" (V-ANALYST) Effective (PC)
Schwartz Gabriel (Schwartz_Gabriel@f101.n9721.z9.virnet.bad.se) writes:
> Yes you might be right about the integrity checker of V-Analyst but most of
> the users want to see scan results much more then integrity check.
This just means that those users must be educated about how to built
an effective virus protection defense. The fact that they "want to
see" something does not mean that this "something" will actually
protect them. Unfortunately, it may well make them buy the product and
get a false sense of security.
> Altough integrity check is a very important path of an anti-virus package it
> can't stand alone as the leading part.
Why not? Please, explain. IMNSHO, exactly the integrity checking must
play the leading role. The only role of the scanner should be to make
sure that the package is installed on a virus-free system and as a
front-end line to prevent the well-known viruses from entering the
system. (The integrity check will detect them as soon as they enter,
but it is still better if they can be stopped even before that - if it
can be achieved cheaply enough, of course.)
> I'm lookin in the latest VSUM reports
> and V-Analyst doesn't look very good there,
This means just that:
1) You are looking in the wrong place (VSUM).
2) You have not noticed that Mrs. Hoffman has tested only the scanner
part of the product.
3) Mrs. Hoffman has not tested the product properly.
4) You do not realize that the quality of the scanner does not say
anything about the quality of the virus protection provided by the
product as a whole.
5) The results apply only to an old version of the scanner.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 20:11:23 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Redirection Difficulty (PC)
Donald G Peters (Peters@DOCKMASTER.NCSC.MIL) writes:
> I'm trying to investigate how programs trap I/O and redirect it. The
> specific problem that I have is how does a program tell DOS to change
> its interpretation of standard input or output (or the other three
> standard handles for that matter). None of my books an DOS function
> (documented or undocumented) describe how to do this.
Easy. Open a file you want to redirect stdin to (INT 21h/AH=3Dh, AL -
opening mode, DS:DX - pointer to the ASCIIZ name of the file). The
handle of the new file is returned in AX. Then ForceDuplication of the
file handle (INT 21h/AH=46h, BX - the handle that you got from the
previous function, CX - the handle you want to duplicate - 0 for
stdin, 1 for stdout, 2 for stderr, etc.). From this point on, any
output to stdin by this or by any child process will be redirected to
the newly opened file. The redirection of the other standard I/O files
(stdout, stderr, stdprn, stdaux) is done in the same way. BTW, I don't
see what all this has to do with computer viruses - maybe it's more
appropriate for the comp.os.msdos.programmer newsgroup...
> Now please don't suggest EXEC('COMMAND.COM','/C pgm parameters >file')
> because no malicious software could get away with that. I don't need
> to defend against such a weak attack; I want to defend against smart
> attacks. How do they do it? (It is done by 4DOS at least.) All I want
> to know is what do you do to have I/O redirected at the system call
> level.
Attack? What attack? You certainly don't believe that it is "safe" to
run viruses as child processes if you redirect the standard I/O?
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 20:44:39 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: On the merits of VSUM (PC)
Al Garcia (CMGARCIAAL@CRF.CUIS.EDU) writes:
> You recently gave some very constructive criticism of Patricia Hoffman's VSUM.
> In contrast, McAfee's VIRLIST.TXT provides succinct descriptions of the genera
> behavior you can expect from any particular virus on it. One of these types o
Why "in contrast"? VIRLIST.TXT is full of errors too; it is just not
so verbose as VSUM. The last time I checked (in version 102), it
contained names of viruses never reported by the scanners, didn't
contain the names of many viruses reported by the scanner, had
spelling mistakes in the virus names, had errors in the virus
properties and sometimes even in the infective lenght, and the "number
of variants" field was completely unreliable.
> matter (again, it's succinct). As you know, there are many different ways a
> virus can install itelf in memory, which is reflected in VSUM. Here's her
[description deleted]
> Could you please provide some comments on the accuracy of VSUM in this one
> specific area of analysis?
The description is not complete and detailled enough. A pretty
complete list of the currently used method can be found in the
description of the CARObase entry format, available from our ftp site.
It has two drawbacks - first, it is also not perfect (we had some
trouble to describe how the Strange virus installs itself in memory),
and second, it is just a list, not a description (in order not to help
the virus writers), so you'll have to figure yourself what each of the
methods consists of.
Regarding how exact VSUM's analysis of the memory residency methods
used by the viruses is - I don't know; haven't checked that in
particular.
> by programs such as TBDRIVER/FILE, FLUSHOT, SECURE, etc. For example, the
> first two each have a problem detecting suspicious memory allocation and use,
It's not a problem to detect memory allocation - Padgett has a
"six-bytes" method that can do this. Problem is, many viruses install
themselves in memory without allocating memory... :-(
> past them. SECURE, on the other hand, doesn't seem to bother alerting the
> user when a program makes a TSR request (maybe it's supposed to, but it didn't
Which SECURE? Mark Washburn's? It has a permission bit in the program
descriptions that tells whether they are allowed to remain resident.
If you turn this bit off, you should get a warning.
> I don't have the viruses to verify any of this. I only ran a few tests on th
e
> security programs to see if they'd be triggered under the conditions I would
> want them to be, above scenarios included. Thanks.
Hm, that's a tricky one... For instance, VSafe (the resident anti-virus
program that comes with MS-DOS 6.0) claims to be able to detect
whether a program tries to remain resident. In reality, it even does
not try to do so - instead it tries to determine whether after a
program terminates some interrupts seem to have been hooked (no, not
only in the interrupt vector table). This allows it to detect many of
the attempts of the viruses to install themselves in memory.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 20:53:52 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Corrections (CPAV) (PC)
A. Padgett Peterson (padgett@tccslr.dnet.mmc.com) writes:
> >>According to Padgett, the updates can be used to upgrade also the
> >>MS-DOS version of MSAV - the scanner that comes with MS-DOS 6.0.
> Not quite, the signature update for the DOS portion appears identical
> (according to FC). The .DLLs (Windows portion) are the same exact size but
> are different - probably just logos/messages but haven't checked further.
Well, didn't I say the same - they can be used for the MS-DOS version
of the product. Oh, I see, I didn't emphasize that they cannot be used
to update the MS-Windows version of it. But this was because I had no
information about that - the fact the the files are different, does
not mean (although it might) that they cannot be used to update it.
> >Nope. The disabler -is- needed - as Yisrael pointed out, MSAV needs to
> >turn VSAFE off before it begins to scan the disk. If you don't allow
> Exactly so though do not know why this should be necessary, all MSAV should
> be doing is reading the disk (or will VSAFE decide that MSAV is a virus 8*).
You are right, of course, it is not necessary at all. But MSAV does
need it. My guess is that because VSAFE also can scan files when they
are opened, MSAV disables it, in order to make sure that no duplicate
reports will occur (one from VSAFE and one from MSAV) when an infected
file is scanned.
> Why ? Though I am equally incompetant legally it would seem that CP might
> copyright their signatures (and this is questionable, they would have to
> prove originality of the strings), what you have is a program that accepts
> input. There are no legal restrictions to that input any more than Microsoft
> can limit sales of Wallpaper .BMPs or Lotus can limit 1-2-3 templates. What
> we are dealing with is a *format* not a program and insofar as I have been
> able to ascertain the courts have taken a consistantly dim view on attempts
> to restrict these.
As I said, I just don't know. I've heard that some companies are suing
others just because of the "look alike" of the user interface of their
software, so I thought that "using the same data format" could also
provide a hook for the lawyers...
> SBO doesn't work for long.
Unfortunately, it often works in the negative way. That is, preventing
the good guys from doing some useful work, while in the same time
failing to prevent the bad guys to do something nasty...
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 17:01:13 -0400
>From: frisk@complex.is (Fridrik Skulason)
Subject: Re: Misidentification by F-Prot 2.08a (PC)
The subject line is a bit misleading, as F-PROT did NOT mis-identify
anything, as explained below.
>the machine would lock up, following booting. F-Prot 2.08a identified the
>virus as a _Screaming Fist_ variant while McAfee's Scan program said that
>it was a combination of a boot sector virus, [Genp], with the _Stickey_
>[ML2] virus infecting the .com and .exe files.
The "combination" part is wrong - it is SCAN that is misidentifying the virus,
seeing two viruses where you in fact have only one - probably the one which
is called Screaming_Fist.Nu-Way.
There are several different viruses in the Screaming Fist family:
CARO name F-PROT name SCAN 104 name
Screaming_Fist.I Screaming Fist (I) Scream
Screaming_Fist.II.838 Screaming Fist (II-A) Scr-2
Screaming_Fist.II.696 Screaming Fist (II-B) Scream2
Screaming_Fist.II.692 Screaming Fist (II-C) Scream2
Screaming_Fist.II.732 Screaming Fist (II-D) Scream2
Screaming_Fist.Nu-Way New or modified variant of... Sticky
Screaming_Fist.Stranger Screaming Fist (Stranger) Scream2
>One other characteristic of the virus was that it wasn't terribly bright,
>in that one of the .com files that it infected was a DCL .COM file downloaded
>from my VAX. (for the vaxophobic, it's an ascii text file, similar to a .bat).
>I was able to disinfect the [Genp] with complete success using Clean, and
>[ML2] with partial success. Files that were for protected mode applications
>tended to be unrecoverable. F-prot was unable to do either.
Well, unfortunately you happened to get infected with the only variant of
Screaming Fist that F-PROT does not identify accurately, and therefore does
not attempt to disinfect. I will update the next version so it does handle
this particular variant.
- -frisk
- --
Fridrik Skulason Frisk Software International phone: +354-1-694749
Author of F-PROT E-mail: frisk@complex.is fax: +354-1-28801
------------------------------
Date: Thu, 03 Jun 93 21:00:24 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: The Anti-Viral Software of MS-DOS 6 (PC)
Y. Radai (RADAI@vms.huji.ac.il) writes:
> The experimental facts which I have found are this: Without VSafe
> loaded in memory either currently or since booting, I run first MSAV,
> then F-PROT. F-PROT outputs the message "The Telecom virus search
> pattern has been found in memory." Now how can VSAFE be the problem
> when *it isn't even loaded in memory*???
Then the problem is also in MSAV, which doesn't bother to clean up
after itself. And partly in F-Prot for not using a more intelligent
approach to check the memory.
> It is also clear that
> F-PROT is giving a false positive.
A ghost positive, more exactly.
> The only question is: Which scan-
> ner is at fault: MSAV or F-PROT?
I would suggest - both. Unless if by chance MSAV does not leave the
signature of the virus at a place where the real virus could have put
it - in which case F-Prot does not have any guilt whatsoever. But I
find this extrememly unlikely.
> If instead of running F-PROT (after
> MSAV) I run SCAN, FINDVIRU, or UTSCAN, no message is output. Since
Oh, this could mean anything. For instance, the above programs might
be using a different scan string than MSAV.
> the other three scanners disagree with F-PROT, the most likely answer
> is that it is F-PROT which is at fault in this case.
Nope.
> Admittedly, the situation changes when VSAFE is loaded in extended
> memory (in this case F-PROT complains that the Stoned pattern has been
> found). This time it may sound as if VSAFE is guilty. But here
> again, the other three scanners say nothing. So I tend to think that
Again, the reason is that they are probably using a different scan
string.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Thu, 03 Jun 93 20:27:23 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Misidentification by F-Prot 2.08a (PC)
System Manager, and VAX Gopher (farnold@wotan.duch.udel.edu) writes:
> the machine would lock up, following booting. F-Prot 2.08a identified the
> virus as a _Screaming Fist_ variant, while McAfee's Scan program said that
> it was a combination of a boot sector virus, [Genp], with the _Stickey_
> [ML2] virus infecting the .com and .exe files.
It's not a "misidentification in F-Prot". Here is what has happened.
Your computer is infected with one particular virus, the standard CARO
name of which is Screaming_Fist.Nu-Way. F-Prot 2.08a does not know
this virus, but correctly determines that it is a variant of the
Screaming_Fist family. (Actually, doesn't it say "New variant of" or
something similar?) McAfee's SCAN 104 calls this virus "Sticky [ML2]"
(not "Stickey"). I have no idea why they are using this name and they
don't group the viruses into families anyway. The important thing is
that both programs mean one and the same virus.
However, the problem is that the virus is multi-partite. It infects
both files and MBRs. Neither of the programs knows about that, but
SCAN has a pretty general "heuristic" scan string for simple boot
sector viruses. The presence of this string lets it detect the
infection in the MBR. Since the virus does not encrypt the original
MBR, the generic boot sector remover in Clean is able to remove the
MBR infection.
> I was able to disinfect the [Genp] with complete success using Clean, and
> [ML2] with partial success. Files that were for protected mode applications
> tended to be unrecoverable. F-prot was unable to do either.
The virus is unknown to F-Prot and F-Prot never tries to remove an
unknown virus. According to the documentation of Clean 104, it is not
able to disinfect the "Sticky [ML2]" virus. This explains why neither
of the programs has been able to correctly remove the file infections.
The boot sector infection has been removed by a different method
(which does not need to identify the virus).
> Being as we've relied on periodic scanning with F-Prot here at the
> university as the primary means of virus detection, how often does
> this happen (misidentification, or identifying two viruses as a
> third)?
Unlike SCAN, F-Prot very rarely makes a misidentification. If it tells
you that a particular virus belongs to a particular family, then you
can be pretty sure that it is indeed so. F-Prot does not distinguish
between some closely related variants, but only if they can be
disinfected using one and the same algorithm. Therefore, F-Prot will
almost never "disinfect the wrong variant" (and thus damage the file).
However, there are viruses which F-Prot cannot remove or even detect,
regardless that it is pretty good on both of these tasks.
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
Date: Fri, 04 Jun 93 02:08:45 +0000
>From: hui@apaturia.trl.OZ.AU (Alvaro Hui)
Subject: Virus?? filename 'n' and content 'U---ntion' (PC)
Hi,
I am browsing my Hard disk this morning and find that there
are more than one file named 'n' with similar content:
"U---------*ntion*". The "-" could be very long and the "ntion" could
repeat.....
I use scanv104 and found no suspicous files on my drives.
Any help??
Alvaro,
a.hui@trl.oz.au
- ------------------------------------------------------------------
Alvaro HUI
a.hui@trl.oz.au
Synchronous Network Research
TeleCom Research Labortaries Australia.
==================================================================
2M->VC12->TU12->TUG2->TUG3->VC4->STM-1(AU-4);
140M->VC4->STM-1(AU-4)
==================================================================
------------------------------
Date: Thu, 03 Jun 93 21:30:36 +0000
>From: bontchev@rzsun2.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: New anti-virus package available via ftp (PC)
Hello, everybody!
I just made available on our anonymous ftp site the anti-virus package
AVP of the Russian anti-virus expert Eugene Kaspersky. The full
reference is
ftp.informatik.uni-hamburg.de:/pub/virus/progs/avp.zip
I obtained it directly from the author. The moderators of the major
IBM-PC anti-virus archive sites are encouraged to download the archive
and make it available on their sites. Beware - the archive is about
1.2 Mb. The package is shareware; registration fee is $20.
Some preliminary analysis of the package.
It is an integrated system, providing off-line scanning, integrity
checking, monitoring, and some expert utilities (memory browsing,
interrupt tracing, etc.). It doesn't provide resident scanning (or at
least I couldn't figure out how to use it).
The off-line scanner is pretty good - its hit rate on our collection
of viruses is 95% (SCAN 104 - 92%, F-Prot - 98%). It uses a bit
unusual names for the viruses - they don't conform with any of the
currently used schemes, but in general it is possible to figure out
which virus is discovered. The name of the reported virus almost
always includes its infective lenght. The scanner does a "nearly
exact" identification - even of the encrypted and polymorphic viruses.
By "nearly exact" I mean that the viruses are decrypted and the first
part of their decrypted body is checksummed (not the whole decrypted
body). Unfortunately, the scanner does not detect the MtE-based
viruses reliably. It also does not detect at all the TPE-based viruses
and some other polymorphic viruses. In particular, it does not detect
Tremor at all.
The integrity checking system seems relatively weak and easy to attack
by the usual methods.
The monitoring part is very good, but as with all monitoring programs,
it is possible to bypass it, if you try really hard.
The memory browsing utilities are excellent and any hacker will
appreciate them. They allow any part of the conventional memory to be
disassembled, viewed as hex and or text, modified, searched, and so
on. The memory resident programs can be listed, the interrupts too, it
is possible even to trace an interrupt and see the disassembly of the
instruction flow of the programs that have hooked this interrupt.
Those tools are invaluable to the anti-virus researcher when s/he
wants to examine a possibly active virus in memory.
The program comes with an excellent help system, which describes each
of the viruses recognized by the program. The descriptions tend to be
a bit terse and technical but are mostly exact. One drawback - they
tend to abuse the phrase "very dangerous virus". Almost every virus is
classified as such.
A really nice touch is that for many viruses there is a demo of the
sound and/or video effects caused by the virus. The actual code from
the virus body is used for that purpose, so some demos might not work
on all type of displays (but the respective viruses won't be able to
show their effects either).
The archive contains also the "professional" version of the scanner.
The main difference with the "plain" version (which is also present)
is that the user is allowed to enter new virus descriptions. The virus
descriptions use a powerful database-like language, which is able to
describe how to detect and even remove several types of sophisticated
viruses - even of polymorphic ones. In the worst case, the user is
able even to link a function of his own (in C) that performs the
detection and removal. This program can have access to the utility
routines used by the scanner, so it does not have to "reinvent the
wheel".
A major drawback of the product is its documentaion. The description
of the way to enter new virus definitions is very terse and is useful
only to the professional who has considerable experience in
programming in C and dealing with viruses. In whole, the English
language of the documentation is far from perfect (and I am trying to
be polite, knowning that my own English is "far from perfect") and
certainly could use the help of a native English speaker.
As a conclusion, it's a good, professional package, it is useful, but
it also needs a lot of work and improvements.
Regards,
Vesselin
P.S. Please, send all questions about the package to the author; he is
available by e-mail. His e-mail address can be found in the package.
P.P.S. I am using the opportunity to transfer a request from the
author. If there are any VirNet users who also have access to
anonymous ftp, please download the package from our site and transfer
it to VirNet. I don't have access to VirNet myself, so I am not able
to do it. Thanks.
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.2 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
------------------------------
End of VIRUS-L Digest [Volume 6 Issue 91]
*****************************************
