Chaos Digest Lundi 15 Mars 1993 Volume 1 : Numero 14 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.14 (15 Mars 1993) File 1--Reactions sur "C'est decide! J'ecris mon virus" (Re: #1.01) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from cccf@altern.com. The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France Issues of Chaos-D can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: * kragar.eff.org (192.88.144.4) in /pub/cud/chaos * uglymouse.css.itd.umich.edu (141.211.182.91) in /pub/CuD/chaos * halcyon.com (192.135.191.2) in /pub/mirror/cud * ftp.cic.net (192.131.22.2) in /e-serials/alphabetic/c/chaos-digest * ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD * nic.funet.fi (128.214.6.100) in /pub/doc/cud * ftp.warwick.ac.uk in /pub/cud Issues of Chaos-D can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue Feb 23 20:06:14 CST 1993 From: ymcrabbe@altern.com (Yves-Marie Crabbe ) Subject: File 1--Reactions sur "C'est decide! J'ecris mon virus" (Re: #1.01) PROHIBITION ON THE RELEASES Date: Thu Oct 22 14:02:46 EDT 1992 From: seborg@first.org (Brian Seborg ) While I do not believe it should be legal to release viruses into the public and that severe penalties should be leveled at anyone guilty of doing this, I do not see much harm in making available to the public information which the computer underground has had for some time. The only risk is that books such as these decrease the inherent "cost" and time that a virus writer must normally spend in order to obtain sufficient information and expertise to enable him/her to write viruses. In the past, this "cost" has acted as a barrier of entry for most virus writers. If higher quality information is presented in a concise form, then the danger is that there will be more people able to write viruses than before. In addition, if you provide people with source code for viruses, then they can learn from the mistakes and successes of these viruses and come up with more sophisticated viruses. This is dangerous if no prohibition on the release of these viruses into the public is enacted. The English language version of the book is already in print, I see little additional harm comming from a French translation. The damage has already been done. Brian Seborg VDS Advanced Research Group McAFEE, HOFF & HOFFMAN ARE BAD Date: Wed Oct 14 11:47:27 GMT 1992 From: bontchev@informatik.uni-hamburg.de (Vesselin Bontchev ) Hi! Ah, yes, McAfee is master of the media shows... :-\ He does this much better than fighting viruses... :-( The only thing that he does even better is making money... :-) Umm, I have here "Les virus. Methodes et techniques de securite" by Jean-Claude Hoff... There are so many mistakes in his book... He reminds me Patricia Hoffman. Probably has the same level of knowledge about viruses... :-) [...] Well, I have to admit that their package contains a really good integrity checker... The best one I have ever seen. But what they are saying - that it's the absolute weapon against viruses, is of course not true. I can think of a couple of attacks that can be used by a virus to slip through their protection... There's no such thing as absolute protection against viruses, unless you decide to make your computer unusable... :-). Well, the last time I've seen their ads, it was "l'arme absolue contre les virus"... :-) Having in mind how bad most virus protection schemes are, theirs is indeed incredibly good. And having in mind how difficult for the user is to use an integrity checker at all, theirs is indded very easy to use... Regards, Vesselin -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany ONLY IDIOTS COMPILE VIRUS CODES Date: Thu Oct 22 11:02:53 PDT 1992 From: sbonds@jarthur.Claremont.EDU (007 ) This is correct, the fact that "Stoned", a boot sector virus, remains the most common MS-DOS virus shows that most viruses are transferred between friends/coworkers by disk exchange. However, the reason MS-DOS viruses are not more commonly spread through networks is not because of the number of "steps" needed, but rather because MS-DOS viruses cannot function except on MS-DOS machines. Putting a MS-DOS virus on a UNIX machine renders it useless, until it gets transferred to a MS-DOS machine again. (Which it will be unable to do on its own.) I would even go so far as to say that MOST are not deliberately destructive. This is true. New viruses are rather rare in the wild, in part due to the efforts of those who provide antivirus software. In all my experience with viruses, I have only seen ONE new virus in the wild. I have seen many, many people without any sort of virus protection come to me after the virus has made its presence known asking for help. Often it's too late then. Even a feeble program like SCAN is better than nothing. Fears that people with source code will somehow magically create whole new viruses are, IMHO, unfounded. If a person knows enough about DOS and assembly to be able to interpret the code, then they also know enough to create an entirely new virus. The worst that could happen is that some idiot could compile the code, run it, and infect himself. This is a great way to learn first-hand what viruses can do. Sofar as I know there is no US law forbidding this either, and there can't be. (That Bill of Rights is useful at times... ) However, the "moral majority" often gets its way on issues like this. VIRUS-FIGHTING FOUNDATION Date: Thu Oct 22 15:57:58 EDT 1992 From: Kevin_Haney@CU.NIH.GOV Since you asked twice, I will tell you what I think. My opinion is that the book should not be published. I believe it is a completely self- serving and money-making scheme. If you put a "Forbidden" label on a product, that will only make people want to buy it more. The author's claim that you can't be a real computer security person if you haven't seen the source code of a live virus is bullshit. The publishing of viral source code is a very irresponsible act, however you attempt to justify it. At the IVPC conference last year, David Stang challenged the book author to donate all of the proceeds to a virus-fighting foundation if his motive was really to help computer security professionals. He declined. I BEGIN BANNING BOOKS Date: Tue Oct 27 09:52:57 CET 1992 From: lschumac@mainz-emh2.army.mil ("Ludwig (Lu) Schumacher ->" ) I would prefer NOT to see this book on the market. It makes it too easy for those who might not otherwise have the requisite knowledge to start playing games. While these virus's should be easily recognized by most of the Anti-Virus programs, not everyone has (or regularly uses) one. Further, once 'trained', it becomes easier to develop more malicious programs. Having said all that, I will add that we would tread on very thin ice should we ever begin banning books. DO-IT-YOURSELF PACKAGE & TWIT Date: Wed Oct 28 08:53:30 -0700 1992 From: martin@cs.ualberta.ca ("Tim Martin; FSO; Soil Sciences" ) Well, I haven't seen Kephart's study, so I can't comment on whether this is a legitimate summary of it. In my limited experience I would agree that networks are rarely a factor in virus spread. And by far the majority of viruses I have seen or had good descriptions of are poorly written, usually simple stupid modifications of a few common viruses. Almost all virus writers work alone. They have found a virus, disassemble it and try to make "improvements" on it. The few writers who are members of virus writing clubs, or are connected by InterNet, FidoNet, or VxNET have little impact on the "virus problem" as experienced by the end-user. I don't quite follow what knowledge CCCF is reputedly advancing: the fact that viruses are by and large poorly written and ineffective? Or is this saying CCCF is trying to encourage more "quality" in viruses? Given I don't know what Schmidt is arguing, nor why CCCF is publishing the (rather poor) book, I can hardly comment. No doubt these are all facts. The book does have virus code. The viruses are easily defeated. I don't know French law, and of course the warning about responsible adults and 18 years old is present, but it is utter nonsense, an attempt by Ludwig to cover his ass. I'm not sure whether you want my thoughts on publishing such a book. Personally I feel that the best way to stop the virus problem would be for the average user to understand how viruses work. So I work hard to educate people on how viruses really work, at the technical level. However I don't publish virus code, because as soon as one has virus code, one no longer needs to understand how viruses work to write viruses. All they have to do is compile the code. So any twit with a self image problem can spread new viruses simply by using the do-it-yourself package. I've seen too many such viruses, and such twits. But I'm sure that in the overall scene, the French issue of Ludwig's book is likely to have about as much effect as the English version has had: "diddly-squat". No doubt the publicity is nice, though. =:) NO BIG HIDDEN SECRETS Date: Wed Oct 28 18:35:13 1992 From: ROP@hacktic.nl Viruses are only a threat if the general public does not understand them. Most virus panics are caused by a this lack of knowledge. It's very good that books like this are available, so that everyone that wants to can have access to information that details how viruses work. There are NO big hidden secrets that could destroy the world, viruses are simple programs that anyone with a good understanding of operating systems can write. Virus writers don't need these books anyway. +++++ Rop Gonggrijp (rop@hacktic.nl) Hardened and capable of making fax: +31 20 6900968 considerable trouble. FOR MISCHIEVOUS PEOPLE Date: Wed Oct 28 17:47:38 PST 1992 From: Pua_Yeow_Cheong.xssc@rxsgp.xerox.com (Yeow Cheong.) I am a software engineer with Xerox but I am not familar with virus codes. Anyway, here is my opinion regarding your mail. I have never read the book you mentioned before but from the fact that the it was censored in the US and it teaches you how to write virus, I can guess that it must contain some harmful elements in it. The problem with publishing the book for the newstand is that you cannot control who gets the book. For all your well intentions, this book will most likely also land up in the hands of those mischievous people who are out to create trouble. Then we will see a proliferation of new virus, starting with France, maybe throughout the world. No matter what Kephart says about his new theory, the fact that computer virus have spread to most computers in the world (Even my PC at home in Singapore has been infected before) is enough proof that virus do spread effectively. And with networking becoming more and more common, it will not be long before virus spread itself via networks. Even though the virus can eventually be destroyed by current anti-virus methods, but before these new virus can be detected and all destroyed, who knows how much destruction they will cause before that. And these information they destroy might be important information in the banks or hospitals. If your intention in publishing the book is to prevent virus infection through knowing how virus work, I would suggest you control the sale and sell only to licensed anti-virus software companies who need the information. If you want to make the book for the newstand, then you should remove all the parts teaching people how to write virus. If your intention is not the above, my opinion is that you shouldn't publish the book at all. Please consider carefully before making your move. Good luck. COMPUTER PROFESSIONALISM/ETHICS Date: Tue Nov 3 14:49:12 CST 1992 From: cepek@vixvax.mgi.com ("Mike Cepek, MGI" ) I personally don't like many of the implications made in the article you enclosed, "Making The News and Bookstands", in particular those related to viruses not being a real threat. I am not familiar with Mr. Kephart's work. The conclusions stated in the article don't surprise me all that much at face value. However, I feel that they are probably used out of context (and, I would assume, without Mr. Kephart's permission) to further the ends of `chaos'. Viruses affect real people and real companies, and have caused real damage, resulting in real money and time lost. The people affected are innocent. In far too many cases, the virus authors set out to cause damage intentionally. In my opinion, malicious viruses are bad. To encourage them in any way is also bad. If it were me, I would not be involved in the release of such information, since it is more likely to cause further harm than good. There are many sides to this issue, more that I care to go into here (freedom of expression, general social benefits from releasing confidential information, educational/research reasons, general moral and ethical issues, computer professionalism/ethics, etc.). I certainly cannot prevent "The Black Book" from being published, nor will I try. However, if it were me, I probably would find more constructive things to do with my time and energy. ______________________________ Mike Cepek ______________________________ VIRII ARE "TOYS" Date: Wed Nov 4 21:09:18 GMT 1992 From: hps@sdf.LoneStar.ORG (Holt Sorenson ) I believe firmly in the idea of free speech. I think that the publishing of this book is not anything to worry about for several reasons. I've seen many of the virii that have resulted from this publication and they are not anyworse than the majority of virri in the community now. For the most part they are overwriting, non-parisitic, non-resident programs that replicate. The concepts behind virri are quite simple and any programmer with a couple of years of experience can write a virus. A virus can even be programmed with DOS's batch language. Assembly is not by any means necessary, but it is the best language because it allows full access to the machine's capabilities and compiles the smallest code. Bearing in mind that virii are "toys" that programmers play with, that free speech is essential in democratic societies, that the ideas presented in that book are not the most advanced in virus technology, and that the "adults" that read the book will act responsibly, I see no problem with the publishing of the book. If the book is a catalyst for a computer virus epidemic in France, then that is one of the consequences of releasing such informtation. Computers users need to be prepared for that consequence. Miscellaneous: Are you guys into the hacker, phreaker, virus scene ? Why did you decide to release the translated book ? I FOUND VIRUSES DISGUSTING Date: Thu Nov 5 11:51:15 CET 1992 From: EKRISTIA@estec.estec.esa.nl ("E. Kristiansen - WMS" ) On one hand, I find computer viruses disgusting, and I think most people using computers for professional purposes would agree with me. On the other hand, I am afraid that viruses are here to stay. The techniques are sufficiently well known that anybody who really wants can put their hands on them. One publication more or one less is not going to change that very much. The only thing, to my opinion, which can inprove the picture slightly is education, in the sense that potential virus-writers might be brought to realize the conseqwences of what they are about to do. But social behaviour is not very popular today in the western world. I think the only thing computer professionals can do is defensive measures: - make good and frequent backups so you can recover if contaminated - be very careful about who has access to your computer, and what they put into the disc drive. Avoid any discs whose origin you do not trust. This being said, I am not in favour of publishing your book, it's a bit like publishing how to break into a house: Anybody can find out how to do it, but reading a book on the subject might be an incentive to actually try it out. The warning "Forbidden for readers not 18 years old" (I suppose you mean "readers below 18 years"?) should be enough incentive for a lot of below-18's to buy the book. If such a "warning" has any effect at all, it is likely to be the opposite of the intended one. LITTLE DANGER Date: Thu Nov 5 12:18:30 MET 1992 From: bartjan@stack.urc.tue.nl (Bartjan Wattel ) I think that one major factor must be considered: Are the sources that are listed the original sources, or were they 'reversed engineered' ? I think, that if the sources are original,most of them won't be very complex nor very ingenoius. Having this in mind, I see no harm in publishing virus listings. In fact, since virus-programming has several nice features and is somewhat challenging, I think it could be very interesting finding out how virusses work. But, there'll always be some people who modify some listing and release it. Since the listings are not that complex, and any anti-virus program will find it, I think there is little danger. I feel that all companies should at least run a simple virus-detecting program once a day. In my opinion, the problems lies in publishing very *smart* virus-codes. At that point, building an even smarter virus shouldn't be very difficult. This could lead to problems when such virusses are being released. So, my opinion: publish only the *easy* virus-codes, e.g. codes from long- existing virusses that will be detected and removed by any know anti-virus program. I hope this helps you. I'm always in for answering questions or joining a discussion about viruses. Bartjan Wattel at Eindhoven University of Technology, the Netherlands I DID UNDERSTAND THE TITLE Date: Thu Nov 12 09:32:00 EST 1992 From: CMARTIN@unode2.nswc.navy.mil ("PGE" ) As to virus pathology, I agree that most common virus vector is exchanging of disks as opposed to network connections. Why, because it is easier to create a virus that does only one thing, infect the next disk, than to have one that can go from disk to net to disk. Also, except for networks with open access (colleges and the like) users have no reason to wish to harm each other, so they won't try to create viruses. Sure they may bring in a pirated copy of tetris which is infected, but a virus that can identify the network (I do believe that many different protocals exist) and do the necessary harm is going to be alot longer than a simple virus, and therefore easier to spot. Networked computers also run alot more anti-virus software than many home users thereby making infection and transmission harder. The book. Well I believe in free speech. I was hoping to buy the book here, but if it is censored then I guess I shall have to brush up on my French (I did understand the title at least) and get that version. Such books might help the malicious, but it also let's the anti-virus forces see what information is being used to write these viruses, and thereby be able to combat the viruses more effectively. Finally, selling the book to those only 18 and older is sad. This book is now being lumped together with Madonna's new book (though I don't know if you have to be 18 to buy that in France). WRITE ONE YOURSELF Date: Thu Nov 12 09:37:25 -0600 1992 From: sears@tree.egr.uh.edu (Paul S. Sears ) I think that a book such as this is a good thing to publish. Viruses are generally simple to write and any one with basic programming skills can create such a beast. It is their skill in programming and design that determines how "sucessful" the virus is. The general computing community can better defend itself from the onslaught of virus attacks if they have a deeper understanding on how a virus operates. And what is the best way to see how a virus operates? Write one yourself. Or, at least look _real_ examples of virus code. Banning knowledge because it may "enlighten" the un-enlightened, is something I don't agree with. I think that everyone should have the opportunity to know everything they can. Keeping the "secrets" of virus design to the underground and/or professional circles leaves the everyday Joe User out in the cold. Knowledge is the best weapon and can be the best defense to such a situation. In the site that I manage, I make an effort to inform all of my users of all possible security threats (related issue). If there was a threat of virus infection on our unix platforms, I would make every effort to inform my users of what that threat is, and to help then understand the design and intent of such threat. Most learn by experimenting, like when I was child, I used to tear apart _anything_ mechanical to understand how it worked. I think the same applies here for virus code. And besides, there are other sources of virus code floating around. If someone wants it bad enough, they can easily get it. -- Paul S. Sears * sears@uh.edu (NeXT Mail OK) The University of Houston * suggestions@tree.egr.uh.edu (NeXT Engineering Computing Center * comments, complaints, questions) NeXT System Administration * DoD#1967 '83 NightHawk 650SC VIRUSES IN THE WILD Date: Mon Nov 16 14:13:04 EST 1992 From: sara@gator.rn.com (Sara Gordon ) i ve not seen this -new- kephart study. the most recent one i have seen is the one detailed in some conference proceedings. it is not a new study. i did use it to document the 'viruses in the wild' portion of my recent study on virus exchange bulletin boards. i have not seen any of the book viruses, although i have the book. my purchase of the book was 'documented' in the underground publication phrack. hope you read the rebuttal, phrack40a, which corrected the many glaring innacuracies in the original. better yet if you had not wasted your time with the original. increase knowledge with the publication of a translation of -that- book? ah, c'mon. have you read that book? if you want to increase knowledge, you could just translate the parts that tell about viruses. the book is a do-it-yourself guide to writing viruses, enabling someone who has the energy to type in the listings (or purchase the disks) to produce viruses without knowing how to program. Now, tell me, of what purpose is the type of info in this book regarding how viruses work to anyone who does not know what the terms mean? the 'advance knowledge' might be more readily achieved amongst the potential users of this book by publishing instead some basic tenets of responsibility, ethics... what exactly is the knowledge you are trying to advance? the only thing this book deals with is how to write viruses, or more specifically how to type in some codes and get them without really knowing why it works, for without a basic understanding of programming, a person won't understand the explanations of the book--and, if they have this understanding they wont NEED this book to 'explain' it. this book dont been banned anywhere that i know of. i dont know of any law against publishing virus codes. however, you must be aware that it will be used by people who want to experiment, that is if they have the determination to type in that long code. laws are another matter entirely, as are freedoms. i think the key issue here is really responsibility. one has to decide which side of the fence one wishes to reside on. -- Talk to me about computer viruses. sara@gator.rn.com SGordon@Dockmaster.ncsc.mil vfr@netcom.com Sara Gordon Fidonet 1:227/190 Virnet 9:10/0 9:101/0 REAL COMPLEXITY OF CREATION Date: Sun Nov 22 18:50:18 EST 1992 From: btwalker@eos.ncsu.edu (aka drchaos ) Problem is that there is always a threat. However most people don't consider themselves to be at risk until the media brings a gross distortion of a viral threat to each and everyone of us. Writing viruses is much more difficult than slapping together some code and running it through a compiler. It requires integrity checking and code evaluation to merge the best possible combination of replication and anti-detection features. With a manual that tells one how to put together a virus, we may see an increase in defective, mass destructive viruses that tend to annilate themselves, but i believe that there will be few, if any, truly dangerous viruses released because of the recent developments. Actually i believe that most viruses spread through the public BBS networks that operate in this country. Many thousands of files are transfered and distributed all across the land, some without regard to the file's content. i for one know of people who download a file from one system only to upload it to another system. A virus embedded in one of these files can spread very far at 9600 bps. The reason most viruses don't spread very well across standard, non-human motivated networks is due to the complexity of creating a computer virus. The only program that achieved this to my knowledge was the internet worm, which was 3000 lines long, in C. Thus most virus writers will stick to the environment they are most familiar with and generally ignore the networks. Physical exchange of disks will soon decline in infection percentages as more and more computers are connected to networks and it is no longer nescessary to exchange diskettes. Only the viruses that are written by dedicated indivuals will prosper. The others will fall victim to common bugs and uncommon situations that can occur when a program is existing in close proximity with the hardware and operation system. Any virus can be detected and defeated given enough time to study it and it's patterns of infection. However the easist to detect are not the most dangerous. These viruses are most likely the creation of someone with a weak sense of direction that somehow got lucky and created a working virus. They perhaps may suffer from a slighly anti-social outlook on life and merely want to vent their frustration on the unsuspecting computer using populace. The dangerous viruses are those that wait and cause small changes in non- essential files over an extended period of time. These viruses are hard to detect if successful and one can only develop a vaccine if one knows what to look for. I believe that the spread of knowledge should not be deterred. i approve of distributing all knowledge even if the knowledge has potential disruptive abilites. As i have stated before, very few people will be able to create a harmful working virus. Those that do manage to produce one will have developed a program in which it is compromised enough to not be effective in modern computer environments. Furthermore the knowledge may stimulate those who are attempting to create better anti-viral software. From what i know of it, the black book contains examples of viral code, all of which can be detected. Since almost all of the viruses that could potentially created by releasing the translation will be variants, all should be easily detected and should not impose a greater risk to anyone with sufficient anti-viral software. While being over the age of 18 does not garantee responsibility, it does increase the chance that all who learn from it will have reached an age of socialization that is necessary to properly use the knowledge to benefit and not to detriment. ------------------------------ End of Chaos Digest #1.14 ************************************ Downloaded From P-80 International Information Systems 304-744-2253