June 1990 ISSN 0956-9979 THE AUTHORITATIVE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL Editor: Edward Wilding Technical Editor: Fridrik Skulason, University of Iceland Editorial Advisors: Jim Bates, Bates Associates, UK, Phil Crewe, Fingerprint, UK, Dr. Jon David, USA, David Ferbrache, Heriot-Watt University, UK, Dr. Bertil Fortrie, Data Encryption Technologies, Holland, Hans Gliss, Datenschutz Berater, West Germany, Ross M. Greenberg, Software Concepts Design, USA, Dr. Harold Joseph Highland, Compulit Microcomputer Security Evaluation Laboratory, USA, Dr. Jan Hruska, Sophos, UK, Dr. Keith Jackson, Walsham Contracts, UK, Owen Keane, Barrister, UK, Yisrael Radai, Hebrew University, Israel, John Laws, RSRE, UK, David T. Lindsay, Digital Equipment Corporation, UK, Martin Samociuk, Network Security Management, UK, John Sherwood, Sherwood Associates, UK, Roger Usher, Coopers&Lybrand, UK, Dr. Ken Wong, BIS Applied Systems, UK KNOWN IBM PC VIRUSES CONTENTS (UPDATE) 11 EDITORIAL TOOLS & TECHNIQUES Computer Viruses as Weapon Dynamic Decompression, Systems 2 LZEXE and the Virus Problem 12 PROCEDURES WORM PROGRAMS Training and Awareness 3 The Internet Worm - Action and Reaction 13 FEATURE ARTICLE PRODUCT REVIEW The Bulgarian Computer Viruses - ‘The Virus Factory’ 6 Certus - Tools To Fight Viruses With 18 ANTI-VIRUS SOFTWARE END-NOTES & NEWS 20 FOR IBM PCs 10 VIRUS BULLETIN ©1990 Virus Bulletin Ltd, England./90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers or a licence permitting restricted copying issued by the Copyright Licencing Agency. Page 2 VIRUS BULLETIN June 1990 Research in effective methods or strategies to remotely EDITORIAL introduce such viruses should be conducted. Efforts in this area should be focused on RF atmospheric signal transmis- sion such as performed in tactical military data communica- Computer Viruses as Weapons Systems tions.” There has been some speculation recently about military research into For some extraordinary reason, this project has been ‘farmed out’ to the use of virus programs to disrupt enemy computer and communi- private enterprise. Jim Vavrina, a computer security specialist with cations systems. Military electronic countermeasures (ECM) might, it the US Army Information Systems Software Centre who uploaded has been argued, encompass computer viruses, worms and other the message, says: “Admittedly, myself and my colleagues are quite forms of replicating attack programs. This speculation is almost surprised that something of this nature would be put on the streets for impossible to substantiate. In the UK for instance, electronic research and not use the expertise internally available.” intelligence (ELINT) and signals intelligence (SIGINT) are highly classified fields and no information about research and development Program Solicitation 90.2 might lead us to conclude that the US projects is made publicly available. Department of Defense has 1) been very slow to appreciate the virus threat and its implications for security and electronic warfare and Interception of enemy communications and cipher-breaking are the 2) regards the issue rather casually and believes it unnecessary to primary SIGINT and ELINT functions. Recent military computer use its immense ‘in-house’ resources for research and development security efforts have attempted to counter ‘leakage’ - the capacity for purposes. enemy intelligence to intercept information processed by computers. Leakage can occur through electromagnetic radiation emanating from Alternatively, Program Solicitation 90.2 could be regarded as a terminals, processors and cabling and this has led to the development classic example of disinformation to conceal the true extent of US of TEMPEST shielding designed to confound eavesdropping. military virus research. Another possible cause of leakage is the Trojan horse or ‘sleeper’ program designed to exploit covert channels and assist illicit communication to unauthorised parties. Viruses, worms and Trojans Morris Sentenced can be used to exploit covert channels and incoming software for Robert Morris has avoided a prison sentence for attacking the US high security computing systems is usually supplied as source code DARPA Internet network. In early May a Federal judge placed him for prior analysis. Covert channels are discussed in the US Depart- on three year’s probation, ordered him to complete 400 hours of ment of Defense Trusted Computer System Evaluation Criteria - the community service, and imposed a fine of $10,000 payable within ‘Orange Book’ - and are a major consideration in the design of secure twelve months. computer systems. * An interesting aspect of the case was the estimated level of damage Offensive Applications (assessed in US dollars) caused by the program. A report from John McAfee of the Computer Virus Industry Association claimed that the Securing information is a defensive measure. Military agencies are Internet worm had caused a staggering $96 million dollars of equally interested in offensive operations. This might involve damage. This report was dismissed as “grossly exaggerated and self- intercepting enemy communications and information and, if serving” by the Cornell commission of enquiry into the incident necessary, destroying or disrupting those facilities. The following headed by Mr. M Stuart Lynn. A figure of $200,000 quoted by Gene information appeared recently on the Virus-L conference: Spafford of the University of Purdue has been accepted as a realistic The US Department of Defense recently published a booklet estimate of the damage inflicted by most knowledgeable observers. titled PROGRAM SOLICITATION 90.2 FY-1990 SMALL As VB reported in April, hackers are still penetrating Internet and BUSINESS INNOVATION RESEARCH (SBIR) PROGRAM. according to some reports the network’s security is as lax as it was Page 45 contains project A90-217 ‘Computer Virus Elec- before the Morris program struck. There is still concern that known tronic Countermeasure (ECM)’. This project, for ‘exploratory bugs and trapdoors in this and other wide area networks remain development’ is a feasibility study to determine: unfixed, that issued ‘patches’ are being ignored by systems adminis- “The potential for using ‘computer viruses’ as an ECM trators and that manufacturers and vendors are failing to address technique against generic military communications systems/ network security. In the UK, the Joint Academic Network (JANET) nets. The goal shall be to determine the feasibility of remotely remains particularly vulnerable to security breaches with little introducing a virus into a system/net and analyzing its effects concerted effort being made to ‘plug the gaps’. on various subsystem components. The Morris sentence (widely regarded as lenient) will probably do DESCRIPTION: The purpose of this research shall be to little to deter network pranksters, either in the US or elsewhere. investigate potential use of computer viruses to achieve Under the circumstances a repeat of the Internet worm, or similar, traditional communications ECM effects in targeted communi- seems inevitable. cations systems. These effects can include data (information) * Trojan horses and covert channels will be the subject of a commis- disruption, denial, and deception, but other effects should sioned article to appear in VB, volume II. also be researched such as executable code in processors, memory storage management, etc. VIRUS BULLETIN ©1990 Virus Bulletin Ltd, England./90/$0.00+2.50 This bulletin is available only to qualified subscribers. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means, electronic, magnetic, optical or photocopying, without the prior written permission of the publishers or a licence permitting restricted copying issued by the Copyright Licencing Agency. June 1990 VIRUS BULLETIN Page 3 PROCEDURES What Should Be Explained? This depends upon the computing experience of the audience. The most basic presentation might include the following points: Training and Awareness 1. A computer virus (never use the term ‘data virus’) is a program that modifies normal programs to include a copy of itself. Viruses also spread from one computer to another. This Computer viruses are created by people and are spread by can happen on a network or with stand-alone computers. people. There are no purely technical solutions to the virus Computer viruses are created by people to damage and disrupt problem because productivity depends upon people using computer systems. (Depending on the level of user knowledge, computers and software. Unless floppy disk drives are dis- it may be necessary to distinguish between programs and data. abled, the user will always be able to install software and Emphasise that pure data cannot spread viruses). execute it. 2. Viruses are particularly dangerous because they do not Thus, there is no point in implementing technical security reveal their presence until they ‘trigger’. After triggering, some measures if a) people will not use them and b) people fail to viruses destroy everything stored on the computer. understand why particular measures are necessary. 3. Programs (software) can spread viruses. In most office Good management depends upon clear and straightforward