THIS VIRUS IS A CRISIS!
netnews
At this time I would like to make a remark about the current
dangerous virus situation.
CRISIS CRISIS CRISIS CRISIS CRISIS CRISIS
YES, I am absolutely serious. I do not wish to sound unneccesarily
alarmist but the current situation calls for immediate action on the
part of the entire Amiga community and from COMMODORE.
Commodore should recognize this situation as EXTREMELY SERIOUS and
as a situation that could HURT AMIGA SALES, SCARE OFF DEVELOPERS, and
SCARE OFF BUSINESS CUSTOMERS. The previous Amiga virus was mentioned
the influential British business magazine The Economist. Imagine what
will happen in the press when word leaks about a CONFIRMED DANGEROUS
AMIGA VIRUS that has:
DESTROYED BUSINESS RECORDS
COMPLETELY ERASED A YEAR OF A DEVELOPER'S WORK
INFILTRATED SHRINK WRAPPED COMMERCIAL SOFTWARE
INFILTRATED EVERY CORNER OF THE AMIGA COMMUNITY
The Amiga is a sophisticated computer. Kludges like the Apple are less
subject to viruses because they have to be rebooted every time a new
program is used. Even IBMs are less subject to this type of software
virus because they are single tasks, so data disks are isolated. Since
the Amiga is a multi-tasking computer during the course of one session
half a dozen disks containing the the programs and data for as many
programs can be destroyed!
I am calling for ACTION. This means a concerted effort by the Amiga
community to locate and eradicate ALL viruses and find their sources.
This calls for MONEY from Commodore and other 3rd party developers
to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
anyone making these viruses. Additionally Commodore should mount a PR
effort to assure potential customers and dealers that the AMIGA is SAFE.
--
I am not speaking as an expert on the Amiga, viruses, or programming or
marketing. I am speaking as a concerned Amiga user who is using a reasonable
line of argument and has come to the conclusion that the Amiga Virus of
any type is seriously damaging to the Amiga.
--
===============================================================================
|| Paul Brody // The above is in no way meant to imply the ||
|| pbrody@udenva \\// opinions of the University of Denver ||
===============================================================================
rwa@auvax
> At this time I would like to make a remark about the current
> dangerous virus situation.
> CRISIS CRISIS CRISIS CRISIS CRISIS CRISIS
> to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
> anyone making these viruses. Additionally Commodore should mount a PR
> effort to assure potential customers and dealers that the AMIGA is SAFE.
Oh, my goodness. To quote Chicken Little,
"The sky is falling, the sky is falling!!"
All you need is a virus scrubber. CATS ought to be able to build one
with their eyes shut. In the Un*x world, these sorts of things have
been seen before, and dealt with. I'm sure you clever Amigans can
do it as well as anyone else.
In the mean time, put your shirt back on and do a little constructive
reasoning. This thing can only be spread by receiving and booting an
infected flop, right? So DON'T BOOT ANY FOREIGN FLOPS; copy them
onto known clean flops, the boot sector isn't copied in a
file-system-oriented copy (as opposed to a track-oriented copy).
Consider this the software equivalent of condoms ;-).
Yes, it is too bad that shareware/freeware/what-have-you-ware is not
entirely trustable any more. If it's too much of a risk, do
without. Or write it yourself. But _please_, don't panic and then
start making demands which will require a police state to enforce.
BTW, don't you think that your statement 'PR effort to ... is safe.'
is the height of hypocrisy and the kind of disinformation that I, at
least, normally associate with government security organizations
(CSIS, NSA and the KGB spring unbidden to mind... :-) ? Not to mention
that this would be totally counterproductive if, as you otherwise
seem to be arguing, you want the Amy community to tighten up on
security. I mean, either the amy is safe and you don't need to
worry about virii, or it isn't and you do need to worry. PR is not
the fix - PR is the _problem_, in this case.
mutter grumble panicy users grumble hysteria mutter ....
--
Ross Alexander,
Sr Systems Programmer & Bottlewasher @ Athabasca University
alberta!auvax!rwa
PS: flames will be sent to Facilities, it's -35 and we need the heat.
rwa
Ross Alexander
> dangerous virus situation.
> CRISIS CRISIS CRISIS CRISIS CRISIS CRISIS
> to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
> anyone making these viruses. Additionally Commodore should mount a PR
> effort to assure potential customers and dealers that the AMIGA is SAFE.
Oh, my goodness. To quote Chicken Little,
fnf@mcdsun
>I am calling for ACTION. This means a concerted effort by the Amiga
>community to locate and eradicate ALL viruses and find their sources.
>This calls for MONEY from Commodore and other 3rd party developers
>anyone making these viruses. Additionally Commodore should mount a PR
>effort to assure potential customers and dealers that the AMIGA is SAFE.
This exact sentiment has recently been expressed on BIX, in the Amiga
forum, with various people and organizations "pledging" various amounts
of money towards a fund to provide rewards for information leading to
the source of virus, and to cover legal expenses of initiating prosecution
of those creating viruses. At last count, this was already at $1100 with
only 3 pledges. Think what kind of numbers we would be talking about if
every responsible Amigan pledged only $5 or $10. If it became standard
knowledge in the Amiga community that a minimum reward of $10,000 was
available for information leading to the arrest and conviction of these
computer vandals, I bet they would have second thoughts about their
hobby.
The biggest problem with such an organized effort against virus creators
is that nobody has yet stepped forward and offered to head up such an
effort. I'd volunteer, but I simply don't have the time now. I will
be willing to collect and forward pledges (the pledge, NOT the actual funds;
send no money at this time) to whoever ends up heading up the antiviral
effort. So send in those email pledges and postcards...
Fred Fish
1346 W. 10th Place
Tempe, Arizona 85281
-Fred ><>
--
# Fred Fish hao!noao!mcdsun!fnf (602) 438-3614
# Motorola Computer Division, 2900 S. Diablo Way, Tempe, Az 85282 USA
Fred Fish
>community to locate and eradicate ALL viruses and find their sources.
>This calls for MONEY from Commodore and other 3rd party developers
>to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
>anyone making these viruses. Additionally Commodore should mount a PR
>effort to assure potential customers and dealers that the AMIGA is SAFE.
This exact sentiment has recently been expressed on BIX, in the Amiga
Sean Casey
(netnews) rants and raves:
>I am calling for ACTION. This means a concerted effort by the Amiga
>community to locate and eradicate ALL viruses and find their sources.
>This calls for MONEY from Commodore and other 3rd party developers
>to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
>anyone making these viruses. Additionally Commodore should mount a PR
>effort to assure potential customers and dealers that the AMIGA is SAFE.
Boy this stuff has all the quality of USA Today. Commodore doesn't have
a responsibility to prosecute the virus criminals any more than Chicago
Cutlery has a responsibility to prosecute knife murderers.
On the other hand, as I said before, what they *could* do was modify
Kickstart so that the machine was less vulnerable. Are the 1.2 roms
socketed? I hope so.
Finally, would you or anyone else believe it if Commoore came out with
a news release that said the Amiga was now safe? I think it would hurt
their credibility more than help. Heck, I'd probably try to find ways
to prove them wrong.
Sean
--
-- Sean Casey se...@ms.uky.edu, se...@UKMA.BITNET
-- (the Empire guy) {rutgers,uunet,cbosgd}!ukma!sean
-- University of Kentucky in Lexington Kentucky, USA
-- "My feet are wet."
Jack Orenstein
>... Commodore doesn't have
>a responsibility to prosecute the virus criminals any more than Chicago
>Cutlery has a responsibility to prosecute knife murderers.
It may not be their responsibility, but it is certainly in their best
interest to try and protect the machine, by fixing Kickstart, by
providing a software "vaccine", and by prosecuting if possible. Maybe
the correct analogy is to the manufacturers of Tylenol after someone
laced the product with cyanide - they weren't responsible, but they
tried hard to make tampering more difficult, and they went to a lot of
trouble to communicate their efforts.
Jack Orenstein
This is not a disclaimer.
Steve Hix
> Kludges like the Apple are less subject to viruses because they
> have to be rebooted every time a new program is used.
Sigh. This hasn't necessarily been true at least as far back
as the first Disk][ drive. Certainly not since hard disks became
available to just plain folks... There's no need to reboot (excepting
for initial startup) unless you're forced to run &^^$%#$ copy-protected
software from its own disk, rather than a legitimate copy from a
subdirectory of your hard disk. Let's not weaken arguments by using
examples without basis in history or fact.
> Even IBMs are less subject to this type of software virus because
> they are single tasks, so data disks are isolated.
You meant to say "single-tasking", and even with IBM machines, there
are any number of programs that read/write data from/to other programs'
output. (Amazing True Fact: There are some IBM personal computers
that have had hard disks attached that have actually been seen to
work! Some even have more than one program loaded and executable
from the disk!)
> Since the Amiga is a multi-tasking computer during the course of one
> session half a dozen disks containing the the programs and data for
> as many programs can be destroyed!
If memory serves, I did the same sort of thing (admittedly sans
multitasking!) in the normal course of events years ago on the Apple//s
and Apple///s I used at worked in an earlier incarnation. Fortunately,
no infected disks passed through my drives, as far as I know.
> I am not speaking as an expert on the Amiga, viruses, or programming or
> marketing. I am speaking as a concerned Amiga user who is using a reasonable
> line of argument and has come to the conclusion that the Amiga Virus of
> any type is seriously damaging to the Amiga.
As such a virus would be damaging to any other machine (even though
such lesser machines are understandably of less concern to this group).
Virus distributors are, in any environment, inconsiderate, asocial (is
that redundant?) entities. While shhoting them on sight might be a
little extreme, perhaps the rack, or thumbscrews, could be profitably
returned to service.
seh
Christopher Lishka
>All you need is a virus scrubber. CATS ought to be able to build one
>with their eyes shut. In the Un*x world, these sorts of things have
>been seen before, and dealt with. I'm sure you clever Amigans can
>do it as well as anyone else.
>
>In the mean time, put your shirt back on and do a little constructive
>reasoning. This thing can only be spread by receiving and booting an
>infected flop, right? So DON'T BOOT ANY FOREIGN FLOPS; copy them
>onto known clean flops, the boot sector isn't copied in a
>file-system-oriented copy (as opposed to a track-oriented copy).
>Consider this the software equivalent of condoms ;-).
I've got a question at this point. Can't one thwart the virus
in the following manner?
1) Never NEVER boot from anything but an uninfected disk that
has its write-switch on the "can't-write-to-this-disk" position.
2) When one gets a new non-commercial disk, *always* use
INSTALL to overwrite anything in the boot-block, thereby killing off
the virus.
I may be missing something here...I am not sure. I haven't personally
been infected YET, but then again I've only had my Amiga for a week now!
>--
>Ross Alexander,
>Sr Systems Programmer & Bottlewasher @ Athabasca University
>alberta!auvax!rwa
-Chris
--
Chris Lishka /lis...@uwslh.uucp
Wisconsin State Lab of Hygiene <-lishka%uwslh...@rsch.wisc.edu
"What, me, serious? Get real!" \{seismo, harvard,topaz,...}!uwvax!uwslh!lishka
Bruce Holloway
> "The sky is falling, the sky is falling!!"
You know, of course, that Chicken Little was actually falling off a barn,
headfirst, and it wasn't the SKY that was FALLING....
(Relevance? You want RELEVANCE???)
Rob Peck
>
> All you need is a virus scrubber. CATS ought to be able to build one
> with their eyes shut. In the Un*x world, these sorts of things have
> In the mean time, put your shirt back on and do a little constructive
> reasoning. This thing can only be spread by receiving and booting an
?????? ^^^^ ??????????????????????????????????
> infected flop, right? So DON'T BOOT ANY FOREIGN FLOPS; copy them
> onto known clean flops, the boot sector isn't copied in a
> file-system-oriented copy (as opposed to a track-oriented copy).
> Consider this the software equivalent of condoms ;-).
As has been pointed out by others, though, the virus CAN be carried as
a piggyback along with existing software, so YES, don't boot foreign
flops, but maybe you might want to power down and reboot with your own
clean floppy after running any software whose source might be suspect.
(sigh - just realized I've contributed toward keeping the subject
alive).
But here are some more suggestions that I believe are valid, towards
creating a virus eliminator - the system libraries are partially RAM
resident when the system finally completes its boot up. After booting
with a clean floppy, the system library list could be checked or checksummed
perhaps to see if anything had left a patch behind, particularly in the
cold capture or warm capture vectors. Sure, because of dynamic loading,
the contents of the libraries might differ from boot to boot, but the
places to which the vectors would point in ROM or Kickstart would still
be the same.
It seems that the things we have to worry about most are those that
modify the system functions - since the kickstart and ROM memory areas
cannot be written to, it is the RAM resident part that could be checked.
Yes, it happens that some programs do not clean up after themselves
properly, and even Intuition can cause memory fragmentation if you don't
respond quickly to all messages it sends, but if a library checker
program were to be created, it could be run as part of the startup-sequence
perhaps (from that clean floppy, that is) and detect that there were
some (perhaps unintentional) tracks left over from the previous program.
Programs that write directly to physical memory as a means of hiding
virus code could still do that, but if there is no link to the code
through the system library entry points that we can check, it is
just like any other dirty memory that a program used and then discarded.
It'll get reused later on.
Looking forward to a resolution of this topic - I would dislike having
to take all of the steps necessary to protect myself - would hate to
lose a bunch of work because of something I could have prevented.
Maybe if this program does get created, I'd run it after any program
that I myself did not compile, rather than power off. (sigh).
Rob Peck ...ihnp4!hplabs!dana!rap
Marco Papa
>in the following manner?
>
> 1) Never NEVER boot from anything but an uninfected disk that
>has its write-switch on the "can't-write-to-this-disk" position.
>
> 2) When one gets a new non-commercial disk, *always* use
>INSTALL to overwrite anything in the boot-block, thereby killing off
>the virus.
>
>I may be missing something here...I am not sure. I haven't personally
>been infected YET, but then again I've only had my Amiga for a week now!
Yes, the above process will do it for the CURRENT crop of viruses, which
started with the SCA virus. It won't do it the minute a virus is "attached"
to a seemingly innocent PD program on a NON-bootable disk. When you run the
program, the virus will become active, and will try to infect all the disks
it can (All the ones without write protect). Besides infecting, it can also
do other nasty things (like delete ALL your files on a hard disk, which
normally does NOT have a hardware write protect). This type of virus/trojan
horse/masquerader is hell for SYSOPS, which usually have 100+ Meg disks.
In that case the usual recommendation is to try the program the first time
on a michine NOT attached to the hard disk (for example without installing
hddisk.device). It will also help to use TYPE file OPT h to inspect any
instance of DH0:, DH1:, etc...). And of course this is nowhere close to take
into account all possible cases. If you think that this is being paranoid,
ask anyone of the major PC-DOS BBS Sysops. It has taken over two years for
these things to start happening on the Amiga. The stated 500 thousands
machines sold make it finally a mass market product, with all the good
and bad things (i.e. viruses, widespread piracy) that come with that.
The important thing here is to make people informed. Talking about these
items at User Group meetings and make them understand the implications is
a good start. In my opinion, Commodore has been extremely quick in the
response (Vcheck1.0 was out just a few days after the SCA virus was reported).
-- Marco
Howard Hull
>in the following manner?
>
> 1) Never NEVER boot from anything but an uninfected disk that
>has its write-switch on the "can't-write-to-this-disk" position.
While this would thwart the so-far-observed forms of the Amiga's
boot block virus, it would not stop other forms of worms, bombs,
trojan horses or retro-viruses. Obviously, to reproduce, the virus
must write to someplace. Unfortunately, there are plenty of places
to which a generalized reproduction program may write. How about
RAM, for instance? Do you know of any computers that do not have
RAM? Isn't RAM practically part of the definition of a computer?!!!
Once the program has written the appropriate stuff to RAM, it can
usually get any number of system routines to help install the stuff
in a more durable place - like on the tail end of a binary file (with
an appropriately modified checksum, for instance). A retrovirus might
be a virus that is assembled from scattered words located in several
system routines, perhaps nothing more than a file of pointers to
copyable words (words that may be profitably interpreted as instructions
or instruction operands if they are delivered to the IR or MAR).
A retrovirus writer could choose words that have a low probability of
being changed to something harmless by re-compiling a system routine.
If he gets help from the ADA operating routines, he could call them
Government AIDS.
This can be done for ANY KNOWN personal computer. Buggar an ST - Whack
a Mac - gnome a PC clone in clature. Of course, the good gnus is that
such things are variously detectable. And that's the problem: variously.
Somebody has to do some work to muster a counter-attack, and that's the
bad gnus.
>
> 2) When one gets a new non-commercial disk, *always* use
>INSTALL to overwrite anything in the boot-block, thereby killing off
>the virus.
And thereby killing off the commercial developer's specialized boot
block, too, eh? Go ahead. Cut the gonads off your $300 plus word
processing package just to get at some fool's trojan gimick. And,
what if some wise guy sneaks a boogered version of INSTALL onto a
bootable PD disk. How long will it take before anyone finds out that
their attempt to cure the virus is installing delayed shorts in all
sets of their electric underwear?
>
>I may be missing something here...I am not sure. I haven't personally
Yeah, I think you are missing something here. You are missing the fact
that in order to protect yourself from viruses you have to have a machine
with no writeable words - a sort of hard programmed controller, maybe?
>been infected YET, but then again I've only had my Amiga for a week now!
So set ALL the write protect tabs on ALL your disks to READ ONLY. A week
after that, submit another article to the net telling everyone what amazing
things you can do with your computer, and why you're really glad you got
one with so many features...
I'm not trying to be a smart ass, but [I'm sorry, it's such a natural for
me, though :-) ] gosh.
And after you have developed a virus detector (an unusual activity detector,
really) try this one:
"A man skilled in technical electronics decides to rob a bank. He decides
that the best method is a delayed trojan horse system. He knows that the
bank monitors it's software meticulously for such things, and does have an
unusal activity detector that monitors address space accesses and space-time
signatures. However, he also knows that the system only functions during
regular business hours, and that part of the time each day is devoted to
running diagnostics. So the first thing he does is that he gets a job with
the company that maintains the banks computer disk drives. He gets hold of
a disk controller card. He decodes the disk controller's ROM, and determines
where the inactive words in the ROM are, and where the ROM checksum is stored,
or how it is calculated. He then writes a program that at some future date
(Like December 31, 1993) during non-diagnostic times either exports a program
onto the computer's DMA bus (where it will not be spotted by the op sys's
scheduler), and/or he accesses certain of the system's peripherals directly to
use the computer's DATA NETWORK facilities to call HIM up at a pre-arranged
phone number and ask for instructions concerning a particular funds transfer.
He installs the program in a set of ROMs (with his homemade burner) and pops
the ROMs into a disk controller that he knows will eventually be swapped into
the bank's disk drives some time after he leaves the company. He then waits
for his 1993/4 New Year holiday... When the bank opens on January 2 1994, he
transfers his money to Switzerland (appropriate, eh?) and scrams to Europe."
Ok, if I can think this one up in 15 minutes just sitting here, think of
what somebody with some brains can do. The only solution is to make sure
everyone is gainfully employed at suitably rewarding but less risky work...
Now Then, ::Pirated from Bryce Nesbitt::
"Your theory is crazy... but not crazy enought to be true." -Niels Bohr
> -Chris
Howie the Horrid
hu...@hao.ucar.edu
Dan Schein CATS
>
> I've got a question at this point. Can't one thwart the virus
>in the following manner?
>
> 1) Never NEVER boot from anything but an uninfected disk that
>has its write-switch on the "can't-write-to-this-disk" position.
>
> 2) When one gets a new non-commercial disk, *always* use
>INSTALL to overwrite anything in the boot-block, thereby killing off
>the virus.
>
>I may be missing something here...I am not sure. I haven't personally
>been infected YET, but then again I've only had my Amiga for a week now!
>
virus (because we have no idea of the evil still awating us), but I would
place a bet that the above will prevent you from getting the currently known
(to CBM anyway) virus strains that are out there.
> -Chris
--
Dan Schein uucp: {ihnp4|allegra|burdvax|rutgers}!cbmvax!schein
Commodore AMIGA ARPANET: cbmvax!sch...@uunet.uu.net
1200 Wilson Drive Bix: dschein Plink: Dan*CATS
West Chester PA 19380 phone: (215) 431-9100 ext. 9542
+----------------------------------------------------------------------------+
All spelling mistakes are a result of my efforts to avoid education :-)
+----------------------------------------------------------------------------+
I help Commodore by supporting the AMIGA. Commodore supports
me by allowing me to form my own suggestions and comments.
Sean Wolfe
A friend suggests putting "Install DF0:" in the startup sequence of
your important boot disks. Of course you have to leave them unprotected....
.Just a thought...
AmiGuy
Jim Sewell
> I am calling for ACTION. This means a concerted effort by the Amiga
> community to locate and eradicate ALL viruses and find their sources.
> This calls for MONEY from Commodore and other 3rd party developers
> to organize this effort and to PUNISH to the MAXIMUM EXTENT OF THE LAW
> anyone making these viruses. Additionally Commodore should mount a PR
> effort to assure potential customers and dealers that the AMIGA is SAFE.
> ==============================================================================
> || Paul Brody // The above is in no way meant to imply the ||
> || pbrody@udenva \\// opinions of the University of Denver ||
> ==============================================================================
I agree with your concern. These viruses are a problem to both the health of
our systems and to our community as a whole. I do think, however, that the
"excessive force" you suggest to stop these immaturish and dangerous pranks may
tend to force them to increase their activity. First of all, until you can
convince the virus writers they CAN be caught (of which I am unsure) they will
not fear the penalty. Secondly, considering their mentality, they may consider
it a game of Blind-Man's-Bluff. Commodore is blind folded and they run around
taking pot shots at it while staying safely out of both its sight and reach.
================================================================================
Jim Sewell "Make knowledge free!"
{husc6 | mit-eddie}!bloom-beacon!coplex!jim "Just let me get my hands on him!"
Bill Koester CATS
>"A little extra protection...."
> A friend suggests putting "Install DF0:" in the startup sequence of
>your important boot disks. Of course you have to leave them unprotected....
>
the virus is in memory and infects your disk the disk will be cleaned
when startup-sequence executes. This way you know your disk will be clean
when you power down. Just don't try it on any commercial products or
games!!!!
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bill Koester (CATS) >>Commodore Amiga Technical Support<<
Commodore International Ltd. UUCP ..{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill
PHONE (215) 431-9355