Legit purpose for a Virus ...
andrew neely
>Let's say you create a great program, but even with the best copy
>protection, you know that it will be PIRATED ...
>
>You come up with an interesting scheme - unless the software is properly
>registered, the software releases a virus into the system stealing the
>software. Of course you have the cure, but whoever is invaded by this
>virus has stolen your great program, and is subject to a law suit.
>
>'nuf said
Nope. I _have_had_ originals detected as "pirated" on my system. If a
distibutor dumped a virus on me because their software incorrectly
determined that my software was copied, I would sue the f*ckers so hard
they'd _never_ protect software again.
Besides, what if I wanted to make a copy of software I owned for backup
purposes? Bam! Virus. Not.
--
Andrew Neely ne...@mozart.cs.colostate.edu
----------------------------------------------------+--------------------------
If aliens want to keep themselves concealed, why do |
UFOs have bright flashing lights? -- Bruce Sterling |
John Jay G. Tanlimco
>Nope. I _have_had_ originals detected as "pirated" on my system. If a
>distibutor dumped a virus on me because their software incorrectly
>determined that my software was copied, I would sue the f*ckers so hard
>they'd _never_ protect software again.
>
>Besides, what if I wanted to make a copy of software I owned for backup
>purposes? Bam! Virus. Not.
Are lawsuits the reason why PC software aren't being protected anymore?
Or just because they have received too many complaints from users?
--
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
John Jay Tanlimco | University of British Columbia | #$%!#^H&*(()_4|&^$M#}!@
jo...@ee.ubc.ca | Dept. of Electrical Engineering | @{$%8&*()!M#$%^&*()_=!S
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jim Beatty
John Jay G. Tanlimco
But is that really a virus? You can simply make the software delete
itself, no need for a virus. What happens if this so called virus
gets into some other system and does damage?
Robert S. Cohen
A really great program that destroys your system? Sounds like a
really crappy program to me, and there are already plenty of them.
See how many people by your great program when they find out that
it carries a time-bomb.
Joep Meloen
> You come up with an interesting scheme - unless the software is properly
> registered, the software releases a virus into the system stealing the
> software. Of course you have the cure, but whoever is invaded by this
> virus has stolen your great program, and is subject to a law suit.
Now I buy your harddisk. Not knowing of this. You forgot to register.
Bang! There's the virus. We have are having intense discussions here
in Holland on this subject. But jurisprundence (did I spel this wright?)
proves that it is a dream that will not come true. Since there are so many
other ways that could result in me having the virus. Therefore proving
things like these could still be nearly impossible.
The other thing is that the programmer of the program which contains a
virus is legaly responsible for any trouble that it causes OUTSIDE
(and maybe even inside) the system of the lawbreaker. At least that's the
sitution in Holland at the moment. March 1st the new law on computercrimes
in Holland will come effective. I expect a whole set of cases by then.
Watch the Dutch courts I would say.
Ciao,
Joepa
Jo...@Haloeter.Hacktic.NL Homestation: PRISMA
Member of Perry Rhodan Crew Destination: I-CASE
Haloeter = very intelligent creature. Six dimensional powers.
Vesselin Bontchev
This is an extremely stupid way to use a virus. There are two main
problems:
1) If you are able to determine at runtime that the program is not
properly registered, you could just make it refuse to run. Much safer
than releasing a virus (for which you could be held legally
responsible in many countries).
2) A virus can spread to other computers. What do you want to punish
their users for - that they have ever had some software exchange with
a person who had some software exchange with a person who... etc.
seems to have pirated your software? Don't you think that you're going
a bit too far?
Regards,
Vesselin
--
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bont...@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
Ove Hansen
And I just got a new 486 as a replacement for the dog of a 386sx I have now.
Backed up the 386 and restored it on the 486, and wiped the 386's disk before
selling it for it's scrap value.
Then I started up your software which thought it had become pirated, and
therefore released the virus. Fortunately for me I had bought the software
legally in the UK. You and your lawyers have now got a small problem on your
hands...
>'nuf said
nuf nuf
--
---------------------------------------------------------------------------
Ove Hansen, Cisco Systems Europe | Mail: oha...@cisco.com
16, avenue du Quebec, Z.A. de Courtaboeuf | Tel: +33 1 60 92 20 56
91961 Les Ulis cedex, France | Fax: +33 1 69 28 83 26
Chris Gregors
Didn't Vault corporation (Prolok) intend to do something just like that a
few years ago. As I remember, they were so perturbed that Quaid software had
a good method for breaking Prolok, that they were going to release the new
inproved "Killer-Prolok".
If Prolok determined (how I'm not sure) that you were running a pirate copy
of the program, it would go and trash itself and the data files associated
with the appilcation.
Ashton-Tate (who had 40% stock (?) in Vault corp, and used it on every copy
of Dbase, dumped all their stock in Vault because of the potential bad press
associated with such a destructive program.
And where is Vault Corp these days ? .... toasted by an idea I think!
--
| Chris Gregors aka General Mayhem crs@crs-sys Edmonton Alberta Canada |
| The secrets of the universe are very simple, I just can't figure them out! |
Douglas Floyd
->>Let's say you create a great program, but even with the best copy
->>protection, you know that it will be PIRATED ...
->>
->>You come up with an interesting scheme - unless the software is properly
->>registered, the software releases a virus into the system stealing the
->>software. Of course you have the cure, but whoever is invaded by this
->>virus has stolen your great program, and is subject to a law suit.
->>
->>'nuf said
->
->Nope. I _have_had_ originals detected as "pirated" on my system. If a
->distibutor dumped a virus on me because their software incorrectly
->determined that my software was copied, I would sue the f*ckers so hard
->they'd _never_ protect software again.
->
->Besides, what if I wanted to make a copy of software I owned for backup
->purposes? Bam! Virus. Not.
->--
->Andrew Neely ne...@mozart.cs.colostate.edu
->----------------------------------------------------+--------------------------
->If aliens want to keep themselves concealed, why do |
->UFOs have bright flashing lights? -- Bruce Sterling |
I was working on a game, and had a person that I met over the InterNet
help me with some graphics code for it. Later he demanded:
Key Disk
Dongle
Every 30 minutes, a manual question
He also wanted a worm to come out, zap all CMOS settings, and try to
do as much damage as possible if any of the three protections was
violated.
He wanted the game to be sold with a contract that you got notarized, and
THEN, you would get your game.
I thought he was joking. He then wanted the dongle replaced by a half-
card with a HUGE series of capaciters that would blow the motherboard
sky-high if some of the protection was circumvented.
I told him either to stop joking, or get a brain transplant.
He said that either I incorporate his schemes, or he will not allow me
to use his code. I now have my own movement and graphics routines, that
are totally mine, and all of his sent code is in the Big Bit Bucket In The
Sky.
Heck, even manual protection is gross if not implemented well.
I will not tell the person's name to save embarrisment.
PS: Unless I decide there is a serious reason NOT to, I am including
source with this game, and having ABSOLUTLY NO c/p except for one "password"
that is needed to exit the house that you're in. (a la Ultima 6/U7, but
not the same.) Simple, and works as well as any other protection.
PS#2: If I include source, the datafile which holds the "magic exit word"
is one-way encrypted to prevent snooping.
Any comments? I'd love to send some mail to this FORMER co-developer about
people's opinions.
Another assurance: If and when (college == no time for programming)
I get this game out, there will be none of his "code" in it. Just
mere spaghetti code :-).
--
ifb...@ccwf.cc.utexas.edu (Douglas Floyd)
Disclaimer: I speak for myself Please, no NeXTMail at this time.
Windows NT: You either use it on your job or you do not HAVE a job. NOT!
andrew neely
> (*stuff deleted*)
>PS#2: If I include source, the datafile which holds the "magic exit word"
>is one-way encrypted to prevent snooping.
How about the code that verifies the "magic exit word"?
Realize that any programmer could wander into the source and just remove
the check for the "magic exit word" completely, encrypted or not. More
effective would be to do the check as normal, but immediately replace the
actual results with a `everything is fine' signal. To cleanly remove the
check, all I'd do is remove all of the checks completely.
Software crackers rely on the relative openness of code to crack a
program's copy protection. Source code is definitely an open environment.
Back to the encryption... nothing is one-way encrypted when the the
self-contained code can decipher it. If the source code contains the
information to decipher the exit word, then it's easy enough to decipher
the word in general.
Don't get me wrong... I strongly approve of your decision to include the
source. Your best bet would be to secure some critical portion of the
code (like the graphics routines or something) and release this portion
as executable instead of releasing the source. Then, you build the
copy protection into this closed environment. This is chunky, but it's
the only option I can see if you still keep the majority of the code
in source.
--
Andrew Neely ne...@mozart.cs.colostate.edu
----------------------------------------------------+--------------------------
If aliens want to keep themselves concealed, why do |
Douglas Floyd
->In article <1los4c...@emx.cc.utexas.edu> ifb...@emx.cc.utexas.edu
(Douglas Floyd) writes: >> (*stuff deleted*)
->>is one-way encrypted to prevent snooping.
->
->How about the code that verifies the "magic exit word"?
->Realize that any programmer could wander into the source and just remove
->the check for the "magic exit word" completely, encrypted or not. More
->effective would be to do the check as normal, but immediately replace the
->actual results with a `everything is fine' signal. To cleanly remove the
->check, all I'd do is remove all of the checks completely.
Nobody can make an "uncrackable" program. All I am doing is putting
up a door and putting a lock on it. (analogy mode OFF). I do not
need deadbolts or other locks. All the protection needs to do is keep
joe average from copying the disks and giving it to jane average.
->Software crackers rely on the relative openness of code to crack a
->program's copy protection. Source code is definitely an open environment.
->
->Back to the encryption... nothing is one-way encrypted when the the
->self-contained code can decipher it. If the source code contains the
->information to decipher the exit word, then it's easy enough to decipher
->the word in general.
I said one-way encrypted. The "happy fun word is NEVER decrypted". The
user's input is encrypted, and is checked with the crypted text.
Good that you are finding stuff tho.
->Don't get me wrong... I strongly approve of your decision to include the
->source. Your best bet would be to secure some critical portion of the
->code (like the graphics routines or something) and release this portion
->as executable instead of releasing the source. Then, you build the
->copy protection into this closed environment. This is chunky, but it's
->the only option I can see if you still keep the majority of the code
->in source.
->--
->Andrew Neely
->ne...@mozart.cs.colostate.edu
->----------------------------------------------------+--------------------------
->If aliens want to keep themselves concealed, why do |
->UFOs have bright flashing lights? -- Bruce Sterling |
Vesselin Bontchev
> I was working on a game, and had a person that I met over the InterNet
> help me with some graphics code for it. Later he demanded:
> Key Disk
> Dongle
> Every 30 minutes, a manual question
That's OK, except that almost nobody will use a program protected this
way, unless it is really great, and even then somebody will crack the
protection - not to pirate the program, but because the protection is
annoying.
> He also wanted a worm to come out, zap all CMOS settings, and try to
> do as much damage as possible if any of the three protections was
> violated.
Obviously this person is extremely incompetent in both technical and
legal terms. In technical terms, you don't need a worm (a
self-replicating program) to zap the CMOS settings - this can be done
with a half a dozen assembly language instructions, which have nothing
to do with replication. In legal terms, the producer of a program that
causes deliberate damage to other people's programs can be sued in
many countries, including in yours, I think (I am not very familiar
with the law in Texas, so I might be wrong).
> He wanted the game to be sold with a contract that you got notarized, and
> THEN, you would get your game.
If the contract says that the game might destroy your information,
then nobody will buy it. If it doesn't say this clearly enough, the
producer may be sued for damages, according to the laws in several
countries.
> I thought he was joking. He then wanted the dongle replaced by a half-
> card with a HUGE series of capaciters that would blow the motherboard
> sky-high if some of the protection was circumvented.
Now, if you do this to me, I could sue you, EVEN IN BULGARIA. The
computer information is not property there, but the computer hardware
definitively is.
> I told him either to stop joking, or get a brain transplant.
He's definitively missing a lot of education in ethics and law.
> PS#2: If I include source, the datafile which holds the "magic exit word"
> is one-way encrypted to prevent snooping.
If it is just a single word, then this scheme is opened to dictionary
attacks, like the Unix passwords. Maybe you should use passphrases.
> Any comments? I'd love to send some mail to this FORMER co-developer about
> people's opinions.
Feel free to do that with mine opinions.
Vesselin Bontchev
> If Prolok determined (how I'm not sure) that you were running a pirate copy
> of the program, it would go and trash itself and the data files associated
> with the appilcation.
Trashing itself is OK. Trashing its associated data files is more
questionable. Trashing anything else is a no-no.
But let me tell you another example, which has been implmented and
which I have observed myself.
Version 1.0 of Microsoft Word used to checksum the executable file
and, if the checksum didn't match, it displayed the following text:
***INTERNAL SECURITY VIOLATION***
The tree of evil bears bitter fruit,
crime does not pay.
THE SHADOW KNOWS
<17 blank lines>
Trashing program disk.
and then proceeded to overwrite the current disk. I don't know why
their idea that the software was pirated was that its checksum must
change. The program was widely pirated in Bulgaria, without any
problems. It was popular, because it could fit on one 360 Kb floppy
and many computers at that time didn't have a hard disk.
Officially Microsoft has said that the code has been put there by an
employee, who has acted on his own, without the permision of the
company. Allegedly, this employee has been fired as soon as his act
has been discovered. Microsoft also claims that only the message is
there and the trojan never activates.
Not so! In once case I have witnessed myself, the programs was
infected by a relatively simple virus - Yankee Doodle. The virus is
not stealth, so the infected program was able to determine that it has
been modified and, when executed, -did- trash the current disk...
andrew neely
In article <bontchev.729947587@fbihh> bont...@fbihh.informatik.uni-hamburg.de writes:
>Version 1.0 of Microsoft Word used to checksum the executable file
>and, if the checksum didn't match, it displayed the following text:
>
>***INTERNAL SECURITY VIOLATION***
>The tree of evil bears bitter fruit,
>crime does not pay.
> THE SHADOW KNOWS
><17 blank lines>
>Trashing program disk.
>
>and then proceeded to overwrite the current disk. I don't know why
>their idea that the software was pirated was that its checksum must
>change.
Software with significant on-disk protection can typically be cracked with
some simple modification of the actual code (either via dis/assembly or
or a sector editor). If the code does a checksum on itself during
execution, it's probably to check for this kind of tampering.
So, all you have to do is remove the checksum check. :)
As mentioned in a previous article, a virus or similar occurance
(something that doesn't necessarily render the code ineffective)
could trigger this reaction.
If you're developing copy protection, I recommend both encryption and/or
compression, as well as a checksum.
--
Andrew Neely ne...@mozart.cs.colostate.edu
----------------------------------------------------+--------------------------
If aliens want to keep themselves concealed, why do |
Default Account
>> of the program, it would go and trash itself and the data files associated
>> with the appilcation.
>Trashing itself is OK. Trashing its associated data files is more
>questionable. Trashing anything else is a no-no.
The Prolok thing was an unconfirmed rumour. It might have been put about
by someone who didn't like Prolok. Personally, I don't believe it.
>But let me tell you another example, which has been implmented and
>which I have observed myself.
>Version 1.0 of Microsoft Word used to checksum the executable file
>and, if the checksum didn't match, it displayed the following text:
>***INTERNAL SECURITY VIOLATION***
>The tree of evil bears bitter fruit,
>crime does not pay.
> THE SHADOW KNOWS
><17 blank lines>
>Trashing program disk.
As I recollect, the message was "Trashing program disk now", but it's
a very minor point, and my memory might be mistaken. I use this as a foil
in one of my seminars.
>and then proceeded to overwrite the current disk. I don't know why
In the case I saw, it only overwrote the Word program.
This is very nearly accurate - I have a couple of minor amendments.
I too have seen this message, and it was Word version
1.0, as you said. In the case I saw, it was triggered by copying the
software from one subdirectory on the hard disk to another. The user did
this, because he had problems with his printer driver, and Microsoft
suggested this. I don't know about checksumming - I didn't test this.
I don't see how checksumming would protect against piracy, though. So I
think that my story is more likely true. I could probably dig out that
version and test it, but I'm a bit busy right now with all the viruses we're
seeing in 1993, without worrying about a 1985 problem!
>has been discovered. Microsoft also claims that only the message is
>there and the trojan never activates.
>Not so!
I agree. I saw it with my own eyes. I was astounded. And I think that this
is the source of all those rumours we've all heard about killer copy
protection schemes.
Thank you, Microsoft, for all your gifts.
--
Drs...@ibmpcug.co.uk Alan Solomon, S&S International
Office tel +44 442 877877 Home tel +44 494 724201
fax +44 442 877882 fax +44 494 728095
bbs +44 442 877883 bbs +44 494 724946
Dominic Dunlop
has a piece called something like Logic Bombs, FAT Eaters and Vampire
Worms, which discusses software which propagates copies of itself.
Towards the end of the piece is a nod towards legitimate uses of
virus-like programs for housekeeping and data reduction.
[Cross-posted to uk.test because alt-only traffic tends not to leave
our site -- sorry.]
--
Dominic Dunlop
Vesselin Bontchev
> Software with significant on-disk protection can typically be cracked with
> some simple modification of the actual code (either via dis/assembly or
> or a sector editor). If the code does a checksum on itself during
> execution, it's probably to check for this kind of tampering.
Yeah, but that particular version of MS Word was NOT copy protected -
or the copy protection has been removed, I don't know - I have never
seen the original. It was possible to copy the diskettes just with
DISKCOPY. That's why I don't see why the program checksummed itself
and why if it was changed it decided that it has been pirated...
> If you're developing copy protection, I recommend both encryption and/or
> compression, as well as a checksum.
God forbid, no, I am not developing copy protections... First, I
believe that software should be free and come in source, and second, I
am unable to develop a copy protection scheme that I won't be able to
crack myself, so I am not developing any - doing otherwise would be to
produce something that I myself know to be inferiour... :-)
Vesselin Bontchev
> >***INTERNAL SECURITY VIOLATION***
> >The tree of evil bears bitter fruit,
> >crime does not pay.
> > THE SHADOW KNOWS
> ><17 blank lines>
> >Trashing program disk.
> As I recollect, the message was "Trashing program disk now", but it's
> a very minor point, and my memory might be mistaken. I use this as a foil
No, it is "Trashing program disk.". I dug a printout of Norton
Utilities of that particular sector containing the message. It is
right after two other messages:
"One of the Microsoft Word load files cannot
be correctly read."
and
"***NON-COPY PROTECTED DISK***
This disk is not copy protected, you
can make backup copies of this program
only with the supplied utilties."
(Don't as me what the second message means...)
> >and then proceeded to overwrite the current disk. I don't know why
> In the case I saw, it only overwrote the Word program.
In my case it overwrote the whole floppy, so it became unreadable. It
was done using INT 26h - I caught this with a monitor. However, when I
am thinking about it now, I tried this on a diskless computer, so
maybe it trashes only the floppy in drive A: (where the "program disk"
is expected to reside), not the current drive.
> suggested this. I don't know about checksumming - I didn't test this.
It does checksum itself - it was years ago, but I think I remember
that it does a simple checksum - add-bytes-in-a-word. Maybe the trojan
triggers in both cases - when the checksum doesn't match and when the
program is not in the installation directory. A bit below this
message, there is a path "Z:\MSTOOLS\MW.COM" and I recall that the
initial version of MS Word was not able to be installed anywhere else
but in a directory named \MSTOOLS...
Douglas Floyd
->> some simple modification of the actual code (either via dis/assembly or
->> or a sector editor). If the code does a checksum on itself during
->> execution, it's probably to check for this kind of tampering.
->
->Yeah, but that particular version of MS Word was NOT copy protected -
->or the copy protection has been removed, I don't know - I have never
->DISKCOPY. That's why I don't see why the program checksummed itself
->and why if it was changed it decided that it has been pirated...
->
->> If you're developing copy protection, I recommend both encryption and/or
->> compression, as well as a checksum.
->
->God forbid, no, I am not developing copy protections... First, I
->believe that software should be free and come in source, and second, I
->am unable to develop a copy protection scheme that I won't be able to
->crack myself, so I am not developing any - doing otherwise would be to
->produce something that I myself know to be inferiour... :-)
->
->Regards,
->Vesselin
->--
->Vesselin Vladimirov Bontchev Virus Test Center, University of
-Hamburg
->Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik
- AGN
->< PGP 2.1 public key available on request. > Vogt-Koelln-Strasse 30, rm.
107 C
->e-mail: bont...@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54,
Germany
You could always have a logic bomb in your cp code to make it dangerous
to tinker with, but if you do this, you better have a *GOOD* lawyer,
and a bribed judge because EVERYONE will nail your posterior to the wall as
soon as people hear of this.
PS: I am not advocating the above solution, just mentioning it for the
sake of completeness. I take no responsibility for any action done by the
above posting and reply.
--
ifb...@ccwf.cc.utexas.edu (Douglas Floyd)
Disclaimer: I speak for myself Please, no NeXTMail at this time.
Win NT: A way for Microsoft's advertising companies to get rich.