Copy Link
Add to Bookmark
Report

Chaos Digest Volume 01 Numero 36

eZine's profile picture
Published in 
Chaos Digest
 · 4 years ago

  

Chaos Digest Mardi 25 Mai 1993 Volume 1 : Numero 36
ISSN 1244-4901

Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.36 (25 Mai 1993)
File 1--_40H VMag_, le FBI & Samford Univ. Comp. Serv. (reaction)
File 2--"Immunizer": proposition de concept pour composants (critique)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST

The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.

Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:

* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Thu, 20 May 93 12:36:40 -0400
From: GLWARNER@samford.bitnet (THE GAR )
Subject: File 1--_40H VMag_, le FBI & Samford Univ. Comp. Serv. (reaction)


[ChaosD: Etonne de la lecture d'une telle insulte de la part du responsable
du service informatique de la Samford University (USA), je decidai de lui
demander la raison d'une telle virulence... malgre le nombre croissant des
nouveaux abonnes a ChaosD. Voici le texte publie dans _Virus-L Digest_
#6.82.2:]

Has anyone else seen "VMag"? It appeared in this weeks Chaos Digest,
and is a magazine dedicated to publishing virus writing tips. The
first issue contains code for making "The Tiny Virus" "Sub-Zero Virus"
"Leprosy-B Virus" and "1992 Virus". There is also an article on how
to modify viruses so SCAN (McAffee) can't detect them. (Some is
source code, some disassembles, and some "debug" compilables).

The second issue contains an article on making PKLite or LZExe
checksum strings show that they have not been changed, a BBS number
for virus discussions, an interview with Skism One (AKA Lord SSS) (in
which he praises John McAfee for helping make him famous) .. a debug
compilable of the Whale virus, and code for the ontario virus, the
1260 virus, the skism 808 source code, and Vienna/Violator source
code.

The question: What do we do about this? I called the FBI complaint
desk (202) 324-3000, and talked to "Harris". He says there are no
violations of Federal law, and that people can print whatever they
want. He said to me, that if you can go to the library and learn how
to make an atomic bomb, that this certainly was legal. I mentioned to
him that once you know how to make a bomb, you need a whole bunch of
uranium to do anything, but once you had this publication, you HAVE
the bomb. He suggested I contact an agent in my area, but told me the
attorney general's office would have to decide whether there was a
case, but he didn't think there was. The editor of Chaos Digest is a
member of the EFF, (the electronic version of the ACLU), so I would
bet that anyone who messes with him would get a lawsuit.

[ChaosD: Voici la reponse de ce Monsieur a ma demande d'explications:]

I am denying permission. Thanks for asking first.

What is the purpose of Chaos Digest? It is quite obvious that VMag and
SKISM have as their agenda the general wreaking of havoc by creation and
spread of viruses. There is not even a suggestion that they have any
scientific or research purposes in mind. When one begins a magazine by
saying that it is not for "anti-virus pussy"s I think that one makes that
pretty clear. I thought Chaos Digest was a computer security publication
when I signed up. Is it? What is it that you seek to gain by promoting
this sort of activity with your distribution of their literature?

Curious: how many US subscribers do you have?

As for _The Little Black Book of Viruses_ . . . yes, I am familiar. And
if you check the archives of VIRUS-L you will see that there was great and
similar outcry at its publication. Data WILL be destroyed because of your
reproduction of VMAG. How does this fall in line with the concept of
editorial responsibility?

------------------------------

Date: Fri May 7 14:57:00 -0600 1993
From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor, VARUG NLC rep )
Subject: File 2--"Immunizer": proposition de concept pour composant (critique)
Copyright: Robert M. Slade, 1992


Comparison Review

Company and product:

Western Digital Corporation
8105 Irvine Center Drive
Irvine, CA 92716
714-932-5000
714-932-6250 Letty Ledbetter
Robert McCarroll, Product Manager, Systems Logic Group
714-932-7013 Terry Walker (and Robert Lee, developer) fax: 714-932-7097
Mark Levitt fax: 714-932-7098
Benjamin Group (marketing)
Suite 480, 100 Pacifica Ave.
Irvine, CA 92718
714-753-0755 (Erin Jones, Sari Barnhard and Carolyn Fromm) fax: 714-753-0844
Immunizer (new technology to be announced 921109)

Summary: concept proposal for hardware component for data security

Cost: N/A

Rating (1-4, 1 = poor, 4 = very good)
"Friendliness"
Installation 1
Ease of use 1
Help systems 1
Compatibility 2
Company
Stability 2
Support 1
Documentation 1
Hardware required 2
Performance 2
Availability 1
Local Support 1

General Description:

The "Immunizer" concept involves a cooperative effort between BIOS makers,
board manufacturers and antiviral software producers. The central component,
as far as Western Digital is concerned, is the 7855 system controller chip.
With proper implementation, the concept should allow protection of hard disk
and memory areas, while at the same time allowing the user the option to
"lift" the protection via software in order to allow for normal system
maintenance functions.

Comparison of features and specifications


User Friendliness

Installation

The test unit arrived with the Immunizer protection in place. The notes with
the system do not specify how the protection program (ANTIDOTE) was to be
invoked or removed, other than at boot time.

Physical examination of the unit found an AMD NG80386SXLVIO-25 CPU and a
Caviar 280 85Meg drive. Bus slots were labelled "do not use bus" and "5V".
The system boot messages referred to a "7855 3.3V Notebook system".

Initial assessment of the system found that the two FAT tables did not agree,
and that there were numerous "duplicate filenames" in the root and directories
created before the system was shipped. Examination of the root directory
showed multiple filenames of ANTIDOTES_R. (Addition and protection of new
program files increases the number of these entries.)

To begin with, I could not understand the purpose of these files, supposing
that they might point to table information regarding which files were to be
protected. However, the number of protected files did not exactly correspond
with the number of ANTIDOTES_R entries. Eventually I found that groups of
these entries always end at sector boundaries. This would indicate that
protection is on the basis of disk sectors and that the entries are used as
"spacers" to keep data files out of the protected sectors.

Note that removal of these file entries requires sector editing, and that
directories that have such entries cannot be removed even if "all files" have
been deleted from the directory. I had hoped that disabling protection,
deleting all files, and then running the "organize and protect" function again
would solve the problem, but it did not. It did, however, remove the
protection from the directories so that a tool like NDD was able to remove
duplicate entries. One ANTIDOTES_R entry remained, and could not be deleted
from the command line, but another utility program was then able to remove the
single remaining entry. This, however, seems to be excessive trouble for such
a common procedure.

Analysis of the FAT with one tool initially showed that a file at cluster 5276
had no directory entry. On a second run, that had changed to 5398. Further
runs after addition of more files indicated that this particular cluster is a
fixture of the system. Examination showed the contents to be very similar, and
similar to the FAT data structure.

Ease of use

As noted, the notes shipped with the test system did not indicate how to
invoke the ANTIDOTE program, other than by rebooting the computer.

An attempt to write to the root directory entries (overwriting the duplicated
ANTIDOTES_R filenames, in fact) with PCTools invoked an alert screen. This
screen stated that a suspicious write had been detected. The options presented
were to reboot the computer, or to disable protection. There was no option to
disallow the operation, but continue with the session. The screen noted that
if the operation was allowed to proceed, ANTIDOTE would not be active until
again invoked (by rebooting?). Choosing to reboot presents a second screen to
confirm the choice. The system appears to be able to discriminate between
program and non-program directory entries.

(Subsequent testing demonstrated that the alert system, at least, would remain
in place even if the option to disable protection was selected.)

There are only six menu selectable items on the main ANTIDOTE screen, and
using the menu should not present any problem to a user with even moderate
computer experience. The only item that presents any further complexity of
use is the option to select files to be protected. It should be comprehen-
sible to any user of "dual window" file managers.

Help systems

None provided aside from brief (one sentence) explanations of the six menu
items on the ANTIDOTE program.

Compatibility

Utility programs show numerous potential problems with inconsistent entries
between the two FAT tables, and with numerous "duplicate" filenames, as well
as lost chains whenever the "Protect" functions are used. Use of programs to
attempt to correct these problems is almost inevitably fatal. The ANTIDOTES_R
"files" are, of course, part of the protection system, and rightly attempt to
defend themselves, but it would help if the implementation was not such a
problem to other utilities. Attempts to reconcile the two FAT tables appear to
be allowed, but will need to be done again after each use of the ANTIDOTE
program to protect new or modified files.

An attempt to test compatibility with other antiviral programs raised an
interesting point. The protection system does *not* appear to really start
from the BIOS level. Installation of the DISKSECURE system seemed to eliminate
the ANTIDOTE system entirely. However, attempts to infect the system with boot
sector infectors from floppies did not work: the system was able to prevent
infection.

There is considerable interference from the system in terms of false alarms.
In fact, there were numerous times when the "alert" screen popped up when no
disk activity should have been taking place. In the limited time available it
is difficult to say for sure how much was unwarranted interference with normal
operations, particularly as the only option is to reboot or shut down the
protection.

Initially, I was not aware of too many false alarms; after all, I had little
idea of how the system should work and was obviously making mistakes. As I
started to load software into it, I began to suspect that large scale copying
operations "confused" the system as to what was supposed to be protected.
The problem seems to get much worse as the disk is "loaded": at 80% full the
system "alarms" on almost every operation that copies data, or even reads the
disk. At 95% full, invocation of programs larger than one cluster will
consistently generate a warning.

I was, however, able to determine that numerous alerts (at least six when I
tested the system conditions both before and after the alert) were fully in
error. Some of the cases were inconsistent in generating the warnings. In any
case, false alarms seem to occur at a rate of one out of ten disk operations
when the disk is half full.

At 95% full or higher, there are also numerous false alarms when the system
boots. Interestingly, removal of programs to reduce the "load" to 60% and
reprotecting the system did not rectify the errors. ("Cold" booting does
improve the success rate.)

There are occasions, however, when the "false" alarms aren't really false, but
are misleading just the same. This occurs when a protected program or file has
been deleted. As noted, the system allows you the option of allowing an
operation. The alert screen states that the protection system will be shut
down after a restricted operation is allowed, but, in fact, doesn't.
Therefore, while the area formerly occupied by the deleted file looks (to DOS)
to be available, to the protection system this area of the disk is still to be
protected. This is more than just a bug in the current implementation; it is a
significant obstacle to the utility of the concept as a whole, and needs to be
seriously addressed.

Another bug in the current program concerns the computer system it is
installed in, and the diagnostics. Roughly half of the attempts to reboot
the system resulted in some failure of the diagnostic tests, although there
was no apparent problem with the items that had failed.

It should be noted that, aside from the rather random interference with normal
computer operations that go on from time to time, nothing in the system
mitigates against "companion" (also known as "spawning" or "precedence") viral
programs. Duplicate filenames with different extensions may exist, and are not
noted in any way.

The system, as currently configured, prevents booting from a floppy disk
except when the protection is disabled. While this seems generally
reasonable, note that it means that checking of the system is problematic.
(During testing, I attempted a "clean boot" to ensure that a stealth virus
had not, in fact, affected the system. I then, inadvertently, wiped out the
disk with a trojan.)

If the system is infected by a boot sector infector, it will not prevent
subsequent infection of floppy diskettes.

A version of the Traceback virus was able to consistently lock up the system.
This should be explored as indicating a possible weakness in the protection
system.

Company Stability

Western Digital is well known for their drive controller and network cards.
This is their first effort in the antiviral arena.

Company Support

I was first contacted by "The Benjamin Group", which appears to be a marketing
company hired by Western Digital for the promotion of this concept. An
evaluation unit was promised to be shipped. I was very careful to spell out
the conditions under which I would accept the unit for review: these were
agreed to by Benjamin, but were apparently not communicated to Western
Digital.

Significant problems were encountered in shipping. The unit was to have been
shipped over the weekend: because of problems with declarations at Customs the
shipment was received a week late. Equal, or worse, problems were encountered
in attempting to get information from Western Digital in order to return the
unit.

Because of the miscommunication over review conditions, and because of the
delay in shipping, this review has been conducted under less than ideal
conditions and time frame. A series of questions was put to Western Digital
in order to better structure the review. Unfortunately, the answers were
somewhat misleading.

Western Digital stated that although full documentation is not available with
the system, some description of the concepts and theory were enclosed with the
package. User notes were said to be enclosed regarding the anti-viral
management software. In fact, there was no material relating to the theory
and concept, and the user notes simply reproduced the explanations listed with
each menu item on the ANTIDOTE screen.

The software and system was said to be complete and debugged so far as the
"proof of concept" is concerned, although it was not to be judged as a
commercial and saleable product. This is fair as far as it goes, but it would
be hard to defend the mistakes that the system makes in terms of losing files
and clusters in terms of a fully debugged program.

Some software, particularly Windows 3.1, was said to be installed and
available on the system. In fact, only MS-DOS (and not all of that), F-PROT
and a virus "storyboard" presentation were on the system.

There were additional problems with contacts. Phone calls and faxes were not
returned. Several times Western Digital requested action on my part on a rush
basis, but when further information was requested in order to pursue this
action, calls by me were left unreturned by Western Digital for days at a
time. To date I am still waiting for some materials promised by Western
Digital and The Benjamin Group.

Documentation

Basically, none is yet available beyond the press releases and a "white
paper".

Hardware Requirements

At present, the system is limited to those systems with SMI equipped 386/486
level processors. The system will need the proper BIOS and the WD 7855 system
controller. The protection is limited to ISA IDE hard drives, and only to the
first physical and logical drive.

In terms of exactly how the technology works to protect the disk, it would
seem to be possible in a number of ways. However, the current implementation
seems to require all programs (or other files to be protected) to be
contiguous on the disk. This suggests that the protection is applied on a
"cluster" or "sector" basis, rather than at the higher, logical, level of
file protection.

In terms of the files to be protected, this is not a major problem. However,
the FAT clusters must also be protected. (Directory "files" listing the files
within the directory also appear to be protected in some way. Renaming of
files in some ways is allowed: methods that involve direct disk access appear
to be restricted. This may present a security loophole.)

The implications here are more serious since data files, which are not to be
protected, must not occupy any of the clusters in the FAT which are protected.
Observation of the test system indicates that data files are therefore
restricted from certain areas of the disk. The exact restriction will depend
upon the amount of space required for program files, the FAT type (12 or 16
byte), the cluster size and the size of the hard disk. (Given the number of
variables, I have not attempted to calculate specific examples. The precise
extent of this restriction as an obstacle to computing is difficult to
determine.) My initial observations indicated that this might require a
restriction of disk usage limiting disk utilization to 50 percent or possibly
even less. Subsequent observations did not confirm this, since I was able to
fill the disk to 99% capacity. However, it should be noted that when the disk
allocation reached 50% of capacity there was a significant increase in the
number of false alarms.

In relation to this, "FAT" or "system" viral programs were tried against the
Immunizer system. While they did not infect the system, neither did they
prompt any alarms. Although two copies of DIR II were tried, my suspicion is
that somehow the system prevented their operation, rather than preventing the
infection. This will require further testing.

Performance

Invocation of the "Protect" or "Organize and Protect" functions of the
ANTIDOTE program results in a major disk reorganization. Each addition or
modification to a program, therefore, requires significant time for
re-establishment of protection.

In addition, the disk reorganization appears to have some bugs currently, and
each run resulted in some truncated files and lost clusters. The files lost or
truncated tend to be data files, although at least one overlay file was
truncated during testing. Each run also results in inconsistencies between
the two FATs.

After the addition of some files required an "Organize and Protect" run of
more than 35 minutes duration, I attempted to build a metric for this
activity. Therefore, having protected, organized and cleaned up the disk
errors on the system, I installed Windows 3.0 as being fairly representative
of the mix of programs and data in today's commercial software. 52 megabytes
of the 83 megabytes available on disk were occupied, and Windows added
approximately 5 megabytes to that. The organize and protect run took 21
minutes to complete. An initial run with CHKDSK did not find any lost
clusters. Correcting the FAT inconsistencies with NDD took a further 9
minutes. It found four truncated files and 97 chains of 1218 lost clusters,
the correction of which took a further 3 minutes. The cost of the addition
and protection of one commercial package, therefore, is generally more than
half an hour for protection, and a random loss of data files.

However, observation suggests that this is neither consistent nor predictable.
Most runs took 30 to 40 minutes, regardless of the space available on disk or
the number and size of program files added. On the other hand, after one
addition of a large number of program files the organize and protect run took
only five minutes to complete.

A "worst case" test was done with the disk 99% full. This took 4.5 hours to
complete. After this was done, the system "alarmed" on every bootup.
Interestingly, on this run only one file and 24 cluster chains were lost.

Note that removal of files requires a similar time investment. Deleting 35
megabytes of (mostly program) files required an "organize and protect" run of
24 minutes.

Recovery of files was generally unsuccessful. On two notable occasions very
large data files were recovered with reasonable success after extended
efforts. Lost clusters tended to be mixtures of files; in many cases mixtures
of files and directories.

The processing overhead added by the protection system is not perceptible to
the user in normal operation. Numerical tests of disk speed, however, reveal
a very different story.

Coretest Transfer rate Perf. index / SI Disk Index

with protection 349.6 5.756 4.3
without protection 942.0 9.291 7.0

While processing does not appear to be adversely affected, disk access
certainly is. Where disk performance is a factor, this must be a
consideration.

Although memory protection was mentioned (in a teleconference promoting the
release) system areas of memory do not appear to be protected. However, upon
further information from the company, an area of memory was found which is
protected.

Additional "bugs" were found in the system. The ANTIDOTE alert screen did not
recognize both "Enter" keys on the keyboard: in certain situations it requires
one, in others the other. At times the system would not "free" memory after a
program had completed a run. At times the system seemed to interfere with
parameters being passed to programs.

Support Requirements

Even without the bugs, the current concept would need to be installed and
managed by those who thoroughly understood both virus protection and the level
and type of activity on the computer to be protected. Certain files not
covered by the default protection would need to be added and certain programs
would need to be "writable" in certain situations. It is, of course, possible
for the user or operator to override the protection, but they would need to be
informed of the times when they safely could, and times when they shouldn't.
The fact that the alert screen is so vague does not help this decision, but
this could be changed, hopefully without adding too much overhead. The
addition of more "intelligence" to the alert screen, in order to inform the
user of what part of the disk was being written to, and what the implications
were, would help here.

General Notes

The concept appears to have substantial potential. However, the current
implementation has a sufficient number of bugs as to make judgement of the
value of the concept, separate from this implementation, problematic.

As currently implemented, the system does appear to provide substantial
protection against infection of program and specific protected files on the
target machine by most types of viral and trojan programs. The cost of this
protection, in terms of the reduced utility of the system, would be
unacceptable in all but the highest risk environments. A combination of
software defenses and user training would provide almost the same level of
protection at greatly reduced cost.

There are indications of loopholes in the current implementation. Specific
identification of such requires further testing.

This concept should be pursued, but in conjunction with established antiviral
researchers and antiviral software developers. Numerous existing programs
could contribute to patching the gaps in this implementation.

------------------------------

End of Chaos Digest #1.36
************************************

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT