Copy Link
Add to Bookmark
Report
NuKE Issue 08-016
-----BEGIN PGP SIGNED MESSAGE-----
NuKE_NuKE_NuKe_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE "NuKE World News" uK
E_ "Virus Related News Stories" KE
_N by E_
Nu Firecracker _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
________________________________________________________________________________
August 9, 1993
Should electronic bulletin boards __ either legitimate or underground __ be
allowed to post and disseminate virus source code?
That question is generating heated debate, from the halls of Congress to the
deepest recesses of the hacker underground. It was touched off in May when an
anonymous message was posted on the Risks Digest, an electronic BBS in the
Silicon Valley.
The author was upset that the U.S. Department of the Treasury's Bureau of
Public Debt Automated Information System (AIS) BBS, which carries
security-related information and is available to the general public, was posting
a broad range of virus source code. The writer also complained about Kim Clancy,
manager of AIS Security and an AIS BBS sysop.
"I am extremely disturbed by the thought that my tax money is being used for
what I consider unethical, immoral, and possibly illegal activities," the
anonymous poster wrote.
Clancy is a highly respected security administrator who has amassed a wealth
of sources in both the legitimate security community and the hacker underground.
As a result of her hacker contacts, groups like Phalcon/Skism have shared the
tricks of their trade and even helped to disinfect the AIS BBS when it was
invaded by a virus.
CEASE AND DESIST. After the anonymous message sparked an anti-virus protest,
Clancy's superiors directed her to remove all hacker files from the AIS BBS.
These included virus source code and information on how to break into computers,
networks, and PBXes. However, Clancy was not subjected to any disciplinary
action.
"I was targeted by a self-elitist international group," Clancy said. "The
only thing they're hurting is the legitimate community of security
professionals."
BIG NEWS. The debate became very public when The Washington Post ran a
front-page article on June 19, 1993.
Rep. Ed Markey, chairman of the House Subcommittee on Telecommunications and
Finance, then wrote to Lloyd Bentsen, secretary of the Department of the
Treasury, asking for "the rationale behind making such potentially harmful
information generally available."
Vesselin Vladimirov Bontchev, who heads the Virus Test Center of the
University of Hamburg, Germany, threw in his two cents: "I am Bulgarian, and my
country is known as the home of many productive virus writers," Bontchev said.
"But at least our government has never officially distributed viruses."
As the debate raged on, everyone chose a side. Clancy and her supporters
believe that the public's right to know far outweighs the "slim" chance that
virus source code posted on a legitimate BBS will end up in the wrong hands. The
opposition is just as righteous, taking the position that writing, posting, or
disseminating any type of hacker files or virus source code should be outlawed.
OLDIES, BUT GOODIES. Experts say there are well over 2,000 viruses in existence
today. However, 90 percent of the damage is caused by the same five to 10
viruses. "Oldies," such as Jerusalem B and the Stoned virus, are still primary
sources of infection.
A recent four-month online survey by the Computer Security BBS found that 64
percent of the respondents had experienced a computer virus attack in the past
12 months. Half of the infections were classified as minimal, but not everyone
escaped unscathed.
Six percent of the virus victims reported losses of more than $ 100,000 and
said it took them more than three days to recover.
While the number of viruses has increased, the technology behind viruses has
advanced very little.
"Most of today's viruses are variations on the handful of originals or can
be traced to a virus-generation toolkit," said GarbageHeap (GHeap), a member of
the Phalcon/Skism group of virus writers and hackers that runs the 40Hex
underground virus BBS.
According to GHeap, most of today's network administrators have effective
anti-virus procedures in place.
"In the early days of viruses __ in the late 1980s and up until 1991 __ it
took network administrators a while to detect them and then disinfect their
networks," he said. "Nowadays, there's an anti-virus package out for almost
every virus you can think of."
PUBLIC SERVICE. As Clancy sees it, she was only performing a public service.
"If BBSes like the Computer Security BBS and the AIS didn't post virus
source code or hacking programs, then only malicious hackers would have access
to them," she said. "The legitimate security professionals would be left out in
the cold."
Clancy and other security BBS sysops contend that high-level hackers don't
need to access legitimate BBSes, since virus source code and hacking tools are
readily available in the hacker underground.
"Some types of information may pose a risk if abused," said Jim Thomas, a
sociology professor at DeKalb Northern Illinois University who, along with
Gordon Meyers, runs the Computer Underground Digest, a BBS. "But in an open
democracy, the potential for abuse has been neither a necessary nor a
PAGE 104
LAN Times, August 9, 1993
sufficient justification to silence those with whom we disagree."
Bill Strouse, president of Stoney River Networks, a Novell gold reseller in
Sunnyvale, Calif., agrees __ so strongly that he is taking up where Clancy and
the AIS BBS were forced to leave off.
"We are going to move all of the virus-commented source-code files, such as
40Hex, onto the Ring of Fire BBS," Strouse said. "The anti-virus community can
pick on me all they want, but they can't censor me. I'm not doing anything
illegal, and I'm not government-owned and sponsored."
Strouse, who heads up the Silicon Valley chapter of NetWare Users
International (NUI), runs the Ring of Fire BBS, which is devoted to NetWare and
legal issues.
"The real irony behind all this hype about the AIS BBS was that the virus
code Clancy posted couldn't have been downloaded and used to infect networks,"
Strouse said. "She had removed the replication portion of the source code."
Unlike the AIS BBS, Ring Of Fire is not wide-open to the public. Members of
any NUI branch get unlimited free access; nonmembers pay $ 25 per year for up to
90 minutes of access per day and unlimited downloads.
To get into the Computer Security area of Ring of Fire, would-be users have
to specifically request access and have their identities, affiliations, and
telephone numbers verified by Strouse. Additionally, first-time callers get
access to only three public file areas and are limited to 20 minutes.
"We have no intention of putting a loaded gun into the hands of an
unsuspecting user," Strouse said. "What we're doing is giving people the
diagrams and blueprints of virus code and hacker files so they have the
necessary tools and information to secure their networks."
The Ring of Fire BBS number is (408) 739-8753; the ComSec BBS number is
(415) 495-4642.
________________________________________________________________________________
December 21, 1993
The number of reports of computer viruses increased again in November,
hitting a total of 92 cases, including three viruses reported for the first time
in Japan.
The figure was 54 greater than that for last November, and the total for the
January-November period was by 550 cases from last year's 229, to a total of
779.
According to a report released Dec. 20 by the Information-Technology
Promotion Agency (IPA), the number of different viruses reported in November was
19. Three of the viruses were reported for the first time in Japan.
The most common infection routes were through floppy discs brought from
overseas, accounting for 45 percent of the cases. However, in about 46 percent
of the cases, the infection routes could not be determined.
It is also important to properly secure hardware as well as floppy discs, the
IPA warned.
The number of computer virus damage reports peaked in August and September
at 120 cases. Although virus reports declined to 81 in October, they increased
again in November.
The IPA has received 1,103 reports of computer virus damage since April
1990, when the reporting system was established by the International Trade and
Industry Ministry.
________________________________________________________________________________
December 20, 1993
The Office of Thrift Supervision has sent out warnings to its member
institutions not to have unprotected data exchange with strangers __- one in
particular.
The OTS was advised by the FBI that banks and thrifts in Pennsylvania, New
Jersey, Maryland, and Kentucky have recently received computer disks in the mail
from a person identifying himself as Master Fard Muhammed.
When the institutions loaded the disks into their computers a powerful
computer virus infected all the systems connected to that local area computer
network.
The virus, which authorities described as "not easily detectable by normal
screening programs" caused an unspecified amount of data on the institution's
computers to become unreadable.
"Should any department in your institution receive one of these packages in
the mail, we recommend that the diskette not be inserted in any personal
computer and that the FBI be notified," John Robinson, OTS regional director
advised members.
Authorities say they no idea what the motive for the prank may be, but in the
past couple of years both Federal and state authorities have passed strict laws
against what some term high-tech terrorism.
________________________________________________________________________________
December 16, 1993, Thursday, FINAL EDITION
While businesses and executives are increasingly dependent on computers,
computer criminals have become increasingly more sophisticated.
Viruses, computer hackers, stolen equipment, tampering with data, illegal
data transfer and desktop forgery are just a few of the computer-related crimes
that have emerged in the high-tech age, said Wendi Harvey of the Council of
Better Business Bureaus, based in Arlington, Va.
While computer theft has grown, so have non-property related crimes such as
designing software "viruses" that crash systems and the illegal use of data
bases by computer hackers. Other common crimes involve employees or repair
technicians tampering with data and theft by data transfer and desktop forgery.
Computer theft and fraud might seem like problems that apply only to
businesses, but many of those businesses pass the costs on to consumers as
higher prices for their goods and services. So many firms now have policies and
security programs to protect their computer systems.
International Business Machines Corp.'s research and development laboratory
in Boca Raton, Fla., has installed anti-virus computer software and it
periodically checks them for viruses, said Alan Macher, IBM spokesman.
In November of 1989, two employees at IBM in Boca Raton stole computer parts
worth $ 1.8 million, one of the biggest thefts in the company's history. They
were arrested when they tried to sell the stolen chips in Florida.
Boca Research Inc., a computer modem manufacturer in Boca Raton, has had
problems with the computer virus Michelangelo.
A computer virus lies dormant until something triggers it, such as a date
on the computer clock. Then the virus can wipe out all the computer's data.
Michelangelo was activated on the artist's birthdate, March 6, in 1992.
Gail Blackburn, Boca Research's company spokeswoman, said she lost all her
data when the virus invaded her computer. Since then, the company has installed
anti-virus software, said Larry Steffann, vice- president of planning and
development.
The company also does not permit employees to bring their own software to
work. A lot of viruses are spread through personnel software that employees
install on their business machines.
PAGE 38
________________________________________________________________________________
December 15, 1993
IBM (Yorktown Heights, N.Y.) said last week it is now shipping an enhanced
version of its IBM AntiVirus products, including protection for Novell NetWare
LAN servers.
IBM AntiVirus version 1.04 provides comprehensive "install-and-forget"
automatic protection against computer virus attacks in DOS, Windows, OS/2 and
Novell NetWare computing environments.
IBM AntiVirus for NetWare uses the same state-of-the-art detection technology
used throughout IBM AntiVirus products. It detects well over 2,000 known
viruses as well as many viruses that have yet to be written, while virtually
eliminating the false alarms that plague many other anti-virus products.
Real-time scanning enables the LAN server to protect itself immediately if a
virus on a client PC is found trying to infect the LAN server. LAN
administrators also can scan selected volumes on demand, or schedule a scan for
particular times on selected days. If a virus is found, customized messages can
be sent to the affected user and administrators, and any infected files can be
locked to prevent the infection from spreading. IBM AntiVirus for NetWare is
designed to have minimal impact on LAN server performance. Its automatic
priority adjustment keeps the additional load to less than four percent for
typical servers. Single copies of IBM AntiVirus for DOS, Windows and OS/2
systems are available for $29.95 by calling (800) 551-3579.
Copyright 1993 DataTrends Publications, Inc.
________________________________________________________________________________
December 13, 1993, Monday
THERE have been 9,181 computer "disasters" in Britain over the past three
years, according to the Survive! club of computer managers specialising in
disaster recovery. A disaster is defined as inability to use a computer causing
at least L10,000 of corporate damage, but excluding fraud. The largest
individual case was the spectacular public fiasco of the Stock Exchange's Taurus
system, which was aborted after years of fruitless work. That caused a loss of
up to L400m, according to Survive! calculations. The biggest category of loss
was theft, accounting for 37pc of cases. The stealing of desk-top computers is
"reaching epidemic proportions". Almost 21pc of the cases were caused by
viruses, though other recent reports have said most of these attacks were
relatively benign and did not cause major damage. But Survive! reckons there is
each year a 6pc chance of an organisation catching a computer virus, with the
recovery costing between L10,000 and L250,000. The Institution of Analysts &
Programmers reckons the virus danger is grossly exaggerated but half its members
have at some stage encountered one. Most of the damage was done by just nine
viruses, the commonest being one called Form. According to Survive! malicious
damage accounted for nearly 9pc of the disasters it found. Many of these were in
the form of "time bombs"-hidden program routine that causes damage to data at a
pre-set time-and there are over 100 prosecutions pending. But there were also
some terrorist bombs. After that, in descending order, came hardware faults,
hacking, environment (power problems, air conditioning failure), software
(Taurus comes into this category), and communications. Human error, negligence,
natural disasters, water damage from cracked pipes and the like, and fire caused
under 41/2pc of the instances between them. Statistics are notoriously
mendacious but soon it will be possible to compare these figures with ones
produced by the government. A national survey of 10,000 companies aims to
identify the extent of computer security breaches over the past two years and
the effect on business. Its findings are expected in early 1994. The survey will
also invite organisations which have been hit to tell the rest of the world. A
similar survey of computer security in 1991 found more than half of businesses
had suffered from security problems, at a cost of Ll.1 billion a year. THE Data
Protection Registrar has explained his view of the meaning of particular phrases
used in enforcement notices, in particular about "residence", "family
membership" and "name matching". The rules do not allow the extraction of
personal information simply by reference to current or previous address. They
also prevent the inclusion of information about any other individual who lives
or has lived at the same address as the subject of the search.
________________________________________________________________________________
February 1, 1994
CAN a computer virus change its spots? Yes, say computer security experts.
Specialists have warned that a new breed of sophisticated computer virus
that changes itself into multiple versions is becoming more common and that it
can outwit some anti-virus software.
Known as polymorphic viruses, they are designed to hide from popular
anti-virus programs by changing themselves slightly each time they replicate.
Businesses relying on older versions of anti-virus scanning software risk
leaving their PCs open to infection from polymorphic viruses.
These can produce as many as 2.3 trillion versions of themselves, making
them impossible to detect without the help of a new generation of anti-virus
software.
"There is no question about it, polymorphic viruses are definitely the wave
of the future," said Phil Talsky, product manager at leading US anti-virus
software developer McAfee Associates.
Mr Talsky added that the most common polymorphic virus is the Satan Bug.
"It recently entered our top 10 list of most often reported viruses, at
number nine," he said.
David Stang, head of US- based Norman Data Defence Systems and founder of
the International Computer Security Association, agreed that the Satan Bug posed
a security challenge.
He said: "We are hearing more reports daily of Satan Bug infections and it
is a major problem for some organisations."
The Satan Bug has turned up at some US Government agencies. These include
the Social Security Administration and the Army Corp of Engineers. There have
also been reports that it had been detected in Europe, and that Tremors, another
virus, is affecting PC users in Germany.
However, they should not panic, Mr Stang said.
"Becoming infected by any kind of virus is rare and coming across the Satan
Bug is even rarer," he said.
The Satan Bug is not designed to erase data, but it interferes with users
trying to connect to a local area network and will change file dates.
It replicates quickly and can travel across a local area network to infect
other users.
Computer virus experts at IBM said polymorphic viruses should not trouble
most users.
"If users take proper precautions, polymorphic viruses are easy to deal
with," said Steve White, manager of the high integrity computing laboratory at
the IBM Thomas J. Watson Research Centre.
"We have not found a very high infection rate among users by the Satan Bug
and the whole issue of polymorphic viruses has received more attention than it
deserves," he said.
Mr White and his colleagues at IBM have completed several detailed studies
of how computer virus infections propagate. They were the first to label the
Michelangelo virus scare two years ago as over-blown.
He pointed out that PC users faced about the same chance of a virus
infection as they did of a hard disc failure, so proper back-up procedures
should be routine.
To eliminate a virus, users must detect and often erase infected files and
then reinstall them from an uninfected backup disk.
This can take several hours for each PC infected. The US Army Corps of
Engineers estimates that it lost more than $ 12,000 per hour in trying to
exorcise the Satan Bug.
McAfee's latest version of its ViruScan software can detect Satan Bug, but
users must delete all infected files.
While Mr Stang said he developed an anti-virus program that could detect and
erase the Satan Bug without requiring users to reinstall infected files, Mr
Talsy said polymorphic viruses were more difficult to detect since they used
encryption to hide from scanning software.
Researchers at IBM are working on an automatic system to detect and analyse
new polymorphic viruses.
While computer virus experts concede that polymorphic viruses are written
by talented programmers, the developer of the Satan Bug is believed to be a 16-
year-old computer enthusiast who uses the pseudonym Hacker Life. There is no US
law prohibiting the writing of a virus program.
Advancing computer technology could help solve this growing problem.
Western Digital, a US company making hard discs, has developed a chip, the
Immuniser, designed to monitor system activity and to block any suspicious
writing to the hard disc. The chip works only with certain newer PCs.
Mr Talsky warned that more polymorphic viruses were on the way.
While the risk from a PC virus infection is small, there are important
safeguards all PC users should adopt. These include using the latest anti-virus
software.
"We produce new versions of ViruScan every six weeks," said Talsky.
"But there are a lot of people using older versions and they will not get
the full protection."
Any anti-virus software version written before August 1993, is unlikely to
offer protection against polymorphic viruses. Users should update their
software.
Mr Stang recommended that users with many PCs should decide on a computer
security strategy.
"Some users apply the same security to all their systems. The problem with
this approach is that some systems should be better protected while others may
not need quite so much protection," he said.
________________________________________________________________________________
November 28, 1993, Sunday, Final Edition
A new virus called "Satanbug" is reported to be spreading rapidly in the
United States. The international virus watchdog publication, "Virus Bulletin,"
of Abingdon, England, said Satanbug is just one of several new viruses infecting
the nation's computers.
Virus Bulletin said that it is costly for a number of U.S. companies,
including Rockwell International, which recently revealed that it spent more
than $ 44,000 to recover from an infection in April. The company told the
publication that the incident was just one of more that 1,000 virus attacks it
has dealt with since 1988.
Virus Bulletin said tests conducted at its offices in England indicate that
companies such as Rockwell and even individuals are not as well armed against
virus attacks as first thought.
In what the publication called a "shock," it discovered in a text of six
leading anti-virus software products that all but one of the manufacturers are
not updating the memory-resident portion of their products. According to the
publication, despite the products' claims of being able to catch all-known
viruses, many of the programs are allowing a large number of viruses to go
undetected.
Anti-virus software usually consists of multiple components, including a
scanner. The scanner typically runs each time a computer is turned on and scans
memory, DOS and program files on a hard drive looking for viruses that have
already infected a system. The program works to keep viruses from entering a
system in the first place by staying in the computer's memory, watching for
viruses trying to gain entrance.
Richard Ford, editor of Virus Bulletin, speculated as to why companies would
make claims for complete detection when portions of their programs actually did
not have the capability. "This difference may have been lost along the way
between the technical people and the marketing people at the company," he said.
"People might think twice if they knew."
According to Virus Bulletin tests, one company that claimed the industry's
high level of virus detection was able to detect only 78.8 percent of the
viruses tested against it.
The publication said two programs that showed good marks in the test were RG
Software's Vi-Spy, which had a perfect score, and Dr. Solomon's Toolkit and
Guard, which missed just a few.
Ford said the disparity between the products' claims and actual performance
is causing anger among users.
"We transmit and receive electronic data to and from our clients every day,"
said David Merrill, vice president of a Manhattan executive search firm. "If I
can't rely on my program to keep viruses out, I run the risk of infecting a
dozen or so clients before my scanner tells me I have a problem the next day.
I'm supposed to feel good about that type of protection? Who's writing
anti-virus software __ Beavis and Butt-head?"
Charlie Atterbury, coordinator of micro computer security at a major company
that operates 35,000 PCs, said: "I'm disappointed in some of the software
vendors. They're taking the easy way out so they can use the marketing hype that
'my virus program takes less memory than the other guy's,' and the real reason
is that they are not doing the job. I have to wonder what they are thinking."
Phil Talsky, a spokesman for McAfee Associates, apparently does not share the
same concerns as the users, according to Virus Bulletin. He said the disparity
is "not a problem" as long as users always run their scanner. He felt the
publication's revelations are a "non-event."
Ray Glath, president of RG Software, Scottsdale, Ariz., developer of Vi-Spy,
said, "Others have left holes because they can't pack as much virus detection in
their TSR as they have in their scanner without bumping up against DOS' 640k
memory barrier."
He said that forces some developers to make arbitrary decisions regarding
which virus to leave their customers unprotected against. He added, "You hear of
many situations where companies keep getting reinfected after they think they've
cleaned up from a virus attack."
Virus Bulletin has been recognized as the foremost international publication
on computer virus protection, detection and removal since 1989.
________________________________________________________________________________
January 28, 1994, Friday, BC cycle
With its acquisition of Brightworks Development, McAfee Associates Inc
embarks on a new era that will launch it into the emerging market for network
software and continue its strong earnings growth.
"We are entering a second stage of development," chief executive William
Larsons told Reuters. "The acquisition would provide double-digit increases in
revenue. But our intent is to grow the top line and the bottom line."
Tuesday, the company reported a 31 percent revenue increase and a 15 percent
net income rise, 1993 over 1992.
Since 1986, Brightworks has developed and sold network management software,
making it a prime conduit through which to sell McAfee's anti-virus programs to
network managers.
McAfee owns about 67 percent of the anti-virus market, versus 14 percent for
its major competitor, the Peter Norton division of Symantec Corp <SYMC.O>,
Larson said.
Larson attributes McAffee's success to selling directly to large corporate
customers like Ford Motor Co <F.N> and to government agencies, via electronic
distribution.
Norton targets retail customers through traditional computer reseller
channels, Larson said.
Larson said Norton is also targeting the area of network management in which
to expand.
"Battle lines (for the market) are just now being drawn," Larson said. He
added that, of the roughly 100 million personal computers worldwide, 30 million
are linked to local area networks and only four percent of those utilize network
management tools. International Data Corp forecasts that will grow to 14 percent
by the end of 1994, according to Larson.
"Brightworks has one of the biggest shares of the (network tools) market, an
award winning product list and a robust direct tele-sales operation," Larson
said.
Among its products, Brightworks sells SiteMeter, software that monitors the
number of times a software package is utilized on a network, and Network Remote,
a diagnostics tool.
To manage its entry, McAfee has hired Bob Chappelear, who
ran the Peter Norton division of Symantec, Larson said.
McAfee also is bringing on board Brightworks head Greg
Gianforte and few, if any, staff cuts will take place.
"The prime assets of the company are with the people,"
Larson said. Although he declined to price the deal, payment
will be all cash __ no stock sales or new loans.
"We have $ 28 million in cash and all the money is coming from (that),"
Larson said.
Larson said McAfee has money to look for other companies.
"We don't want to get too far ahead, but we certainly have the financial
resources to continue to pursue (other acquisitions)," he said.
But company management is intent on not losing focus on its core business of
selling anti-virus software for single-user computers. Virus complexity is
ever increasing and the number of viruses infecting computers doubles every
year, Larson said.
Larson said Brightworks, with its established telephone and direct sales
network, will help McAfee begin competing head-to-head with Peter Norton for
retail anti-virus business.
________________________________________________________________________________
January 30, 1994, Sunday, Final Edition
As many readers know, a computer virus is pure misery for the home user.
But it is even more devastating for a business. And the problem isn't going
away.
For example, computer viruses have been spreading on networks. This means
that every PC connected to an infected network is, in turn, in danger of being
infected.
But peace of mind is available, according to Cheyenne Software Inc. of Roslyn
Heights, a local area network software developer. The company has a product
called "InocuLAN" that it claims will protect an entire computer system from a
potentially devastating computer virus.
"Traditionally, password protection and a 'locked door' were enough to
prevent unauthorized access to data," said Andrew Boyland, director of computer
security products for Cheyenne Software. "But the most serious and potentially
damaging security threat to hit LANs in recent years has been the computer
virus. "
He said a study commissioned by the National Computer Securities Association
and Dataquest in 1991 revealed that 63 percent of 600 companies responding had
had an encounter with a computer virus.
Boyland noted that the virus problem, in general, has been getting worse over
the past five years and said that the number of viruses "is roughly growing at
the rate of 2 1/2 per day." He said he expected the rate to continue but pointed
out that "there are new viruses that are constantly being written that are more
complex than the old ones."
Years ago, a computer virus traveled from one floppy disk to another,
making recovery time shorter and less expensive, according to Boyland.
He referred to InocuLAN as a "computer drug" that prevents a killer virus
from invading a business network system.
Once a virus damages a computer system, it can be costly and time consuming
to return it to a previrus environment, according to Boyland. But "InocuLAN
protects both your file server and DOS work stations against viruses," he said.
Boyland said that there are roughly 2,000 viruses "in the world out there"
and that about 100 of them are considered fairly prevalent. He said the
general description of a virus writer "is a 17-year-old in high school or
college. They begin tinkering with computers at generally a young age, and they
decide that this is kind of a neat way to fool everybody.
"The hacking community is a very powerful one," Boyland said. "They share
information with each other through what we call pirating bulletin boards, or
bulletin boards where they exchange virus codes, information on how to break
into the systems, weakness and insecurities in particular systems. Then they set
out to attempt a virus.
"Most of the viruses that we have seen have clearly been written by people
with lots of computer experience," Boyland said. "They move fast, they're hard
to detect, and they are cleverly written. The poor viruses, the ones that are
not well written, are the ones that we commonly see and hear about for a month
or two."
According to Boyland, a graduate of the State University at Binghamton and
the University of Copenhagen, a virus can spread with great speed. He said a
company in France recently had 4,000 PCs infected within three hours after a
virus entered the network.
Boyland said that situations like Michelangelo became bad virus incidences
because by accident "somebody shipped out copies of their software with copies
of the Michelangelo virus on it, so it was caused to spread that much faster."
He said users can call Cheyenne Software at (800) 243-9462 for information on
disaster recovery, network back-up and anti-virus or network monitoring.
Personal Computers welcomes your questions and programs as well as advance
notification of computer group meetings. Mail your correspondence to Lonnie
Hudkins, The Buffalo News, P.O. Box 100, Buffalo, N.Y. 14240.
________________________________________________________________________________
January 21, 1994
There were a total of 897 reported cases of damage to computers because of
viruses in 1993, an increase of 154 percent over the 253 confirmed cases in the
preceding year, the Information Technology Promotion Agency, Japan, (IPA)
reported Jan. 21.
The 1993 total represented 73 percent of the total number of cases confirmed
by the IPA from April 1990 to December 1993.
The sharp increase in 1993 was attributed to a rise in the number of viruses
and an increase in computer users' awareness of the computer virus reporting
system.
The IPA has been monitoring computer viruses in Japan since April 1990 under
the auspices of the International Trade and Industry Ministry.
As of the end of 1993, 71 different computer viruses had been reported,
including 66 that invade computers running MS-DOS, and five that infect
Macintosh computers.
Twenty-one new viruses were detected for the first time by the IPA in 1993.
Of the cases reported in 1993, 359 were reported by corporations, 246 by the
information industry, 238 by individuals, and 54 by schools and research
institutes.
The Kanto region had the most cases at 499, followed by Kinki at 128, Chubu
at 115, Tohoku and Kyushu at 41 each. There were 37 cases in Chugoku and 19 in
Hokkaido.
________________________________________________________________________________
January 3, 1994, Monday
COMPUTER experts have warned the public of a fresh computer virus threat
affecting compact discs used to store vast catalogues of data.
The discs, known as CD-Roms compact disc read only memories , are an
increasingly popular format for those who need to carry or archive large amounts
of information.
One CD-Rom, resembling the more well-known shiny music platters, can replace
an entire encyclopaedia, or carry detailed graphical and textual information on
every painting in an art gallery's collection. Often the discs cost several
thousand pounds.
But the data on a CD-Rom is designed only to be read, not altered. So a
CD-Rom with a virus on it cannot be cleaned up in the same way as programs held
on floppy disk. Richard Ford, editor of Virus Bulletin, said yesterday: ''The
only use for an infected CD-Rom is as a frisbee.''
The problem is that a virus on a CD-Rom can spread to the computer system
that reads it. Transmission can occur via small functional programs, such as
routines that will speed up access to the information, included on the disc in
addition to the bulk data itself.
During December, virus specialists heard of four separate reports of
infected CD-Roms. They fear this is the start of a growing trend and are warning
computer users to scan new CD-Roms for viruses just as they would ordinary
software arriving on a floppy disk. Scanning will be a time-consuming process
since CD-Roms hold huge amounts of data in hundreds of compressed files.
Computer viruses can cause relatively mild effects, such as messages flashed
up on screen, or potential disasters if the rogue code disrupts or erases
valuable data. The cases reported last month occured on discs carrying so-called
''shareware'', software that people try out before handing over a fee to its
author.
Among computer hobbyists, shareware is a popular way of testing new computer
programs. The difficulty is that shareware is often second-hand, copied and
collated from electronic message centres, called bulletin-boards, which are
renowned sources of virus infection. Mr Ford said: ''The larger reference discs
produced by reputable companies are fairly reliable but it doesn't really matter
where a CD-Rom comes from; it should always be checked.'' He added:
''Shareware discs are very risky indeed. I would advise people not to use these
CD-Roms on machines that hold critical data.''
The reported infections include two shareware collections. The first is
called Software Vault collection 2, published by the American Databank Corp,
which was infected with a virus activated every day between 9am and 10am. This
requires the user to enter the answer to a simple mathematical problem before
they can use their computer.
The second is called Night Owl 10, infected with a relatively harmless virus
called ''Lapse''. The manufacturers of both discs admit the infections and are
expected to withdraw the CD-Roms.
________________________________________________________________________________
December 27, 1993
In 1986, the Brain virus emerged from its creator in Pakistan and spread on
pirated copies of Lotus 1-2-3 and WordPerfect. Brain, the first full-fledged
computer virus, replaced the contents of a PC's disk-boot sector with virus
code and labeled three clusters as bad in the file allocation table.
As IS managers plan for a new year, there are more than 2,000 viruses
capable of dashing those plans by doing everything from erasing a hard disk to
altering their own signatures with each replication. As viruses evolve,
anti-virus software is also changing to keep its footing on this treacherous
landscape.
"We used to detect a virus by matching its signature against the actual
virus, matching its code. Now programmers are writing viruses so that every
time they infect a program, the virus changes its fingerprint so it can't be
found by conventional means," said Bob Janacek, technical director for security
products at Safetynet Inc., the Millburn, N.J., maker of Virus Net Pro. Virus
Net Pro and other packages now use heuristics and algorithms to treat these
polymorphic viruses.
Tremor, a polymorphic virus created with a mutation engine, can have more
than 2 billion iterations, said Phil Talsky, product manager for ViruScan
anti-virus software, from McAfee Associates Inc., in Santa Clara, Calif.
Algorithms with complex mathematical procedures are now required to detect such
iterations, Talsky said.
Also changing the virus outlook are anti-virus development kits, available
on underground bulletin boards. "The virus construction kits make it much easier
for less skilled people to write viruses that are more clever and deadly," said
Tory Case, product marketing manager for Central Point Software Inc., in
Beaverton, Ore. "I'm not a programmer, but with the Virus Creation Laboratory by
hacker Nowhere Man,' I could create a virus simply by using pull-down menus and
click-and-choose options."
Signature scans fall short
As a result, most anti-virus software developers have changed their
approach; in addition to detecting known viruses, they screen for viruslike
behaviors. "With the exponential growth of viruses, there is absolutely no way
to always have a signature database that includes all known viruses," said
Brian Sevy, product manager for Intel Corp.'s network management operations, in
American Fork, Utah.
With its LAN Desk Virus Protect software, for example, Intel provides both a
signature database and rules-based technology. These rules look for behavior
that is characteristic of viruses, such as COM file growth.
This new emphasis on behavior-blocking techniques is bolstered by a study
conducted by two captains at the Air Force Institute of Technology, in Huber
Heights, Ohio. The study tested the effectiveness of anti-virus packages against
both well-known viruses and those found on underground bulletin boards.
"The Air Force is a big consumer of computer software. Our goal was to get
the virus protection that is the most effective," said Capt. Kevin Ziese,
co-author of a report based on the study. "Instead of trying to keep up with the
newest virus in town, you should monitor for virus behaviors."
Ziese found that two software packages __ Central Point Anti-Virus and the
anti-virus utility in Microsoft Corp.'s MS-DOS 6.0 __ caught 100 percent of the
viruses used in the study. Both products employ behavior blocking as well as
signature scanning.
The most dreaded threat to an anti-virus software developer is a virus that
attacks the anti-virus package itself.
" An anti-virus scanner can end up spreading a virus if it's a direct
attack," said Frank Horwitz, president of Reflex Inc., the Brier, Wash., maker
of Disknet anti-virus software. Tremor, for example, attacked the TSR
(terminate-and-stay-resident) component of Central Point Anti-Virus; Central
Point addressed this by adding detection for Tremor and altering the TSR in
Version 2.0, which was released in May.
________________________________________________________________________________
DECEMBER 22, 1993, WEDNESDAY
Damage caused to computer programs by harmful viruses more than tripled in
Japan in 1993, and is expected to total about 900 cases by the year-end, a
government-affiliated organization reported Wednesday.
The Information-Technology Promotion Agency, Japan (IPA), affiliated with the
Ministry of International Trade and Industry, attributed the spread of viruses
to growing sales of low-end machines compatible with those produced by U.S.
computer giant International Business Machines Corp. (IBM).
Agency officials said a growing number of harmful programs produced overseas
have been imported to Japan.
Viruses are computer programs which spread through floppy disks and other
means and destroy healthy programs stored in computer systems.
The agency said there were only 14 cases of virus infection in 1990 when it
began to take statistics on the trouble, but the number increased to 57 in 1991
and to 253 in 1992.
By the end of November this year, 779 cases had been reported to the agency.
Since a large number of virus infections are usually reported at around
Christmas, the total number by the year-end is sure to hit 900, the agency said.
The most common virus in Japan is called a 'cascade' which caused information
to run down on the screen like a waterfall, the agency said.
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLfmn700EOTLgG0HDAQHmmQP/ajMLUsm22DfIzuRufGQWiAuN2opTdZqB
XHgQxP5UrZofaLhqmRgA5UtBYBvBRRMhRCB7vX/cOMn4OhA8bfn86PZIoKdqMDNr
ukM4OSdTNcFrruzi0IjMVZBZuojI9sRJ1eGpOU0AoGy3xZRsaQOIbd31OIWPaUUp
r5JnCD5Z1EI=
=JDqh
-----END PGP SIGNATURE-----
