`
`SEPTEMBER 1994
`
`TT
`
`BULLET IN
`
`THE INTERNATIONAL PUBLICATION ON COMPUTER VIRUS PREVENTION, RECOGNITION AND REMOVAL
`
`Editor: Richard Ford
`
`Technical Editor: Fridrik Skulason
`
`Consulting Editor: Edward Wilding,
`Network Security Management, UK
`
`IN THIS ISSUE:
`
`• KAOS reigns. A virus has been released on the Inter(cid:173)
`net: how great are the risks? For an analysis of the virus,
`see p.8: for an analysis of the risks, turn to p.6.
`
`• Comparatively speaking. VB has always advised
`against the use of virus removal software. However, it
`has become an integral part of many anti-virus software
`packages. How effective is this technique? See p.ll.
`
`• Fire, fire! Norman Data Defense Systems has released a
`server-based anti-virus package: how does it compare to
`the DOS version of this software, Norman Virus Control?
`Product Review 2 has all the answers.
`
`CONTENTS
`
`EDITORIAL
`To Detect or Not to Detect. ..
`
`VIRUS PREVALENCE TABLE
`
`NEWS
`Honecker: The Last Laugh
`Pri~m Reache!; Out
`ARCVCase Wrapped Up
`
`[BM J>C VIRUSES (UPDATE)
`
`INSIGHT
`KAOS on the Superhighway?
`
`VIRUS ANALYSES
`1. KAOS4: A Sexually Transmitted Vims?
`2. No Smoking, Please!
`
`COMPARA TTVE REVIEW
`Disinfection: Worth the Risk?
`
`PRODUCT REVlEWS
`1. Doctor: Good Medicine?
`2. Norman Firebreak
`
`BOOK REVIEW
`Solomon Says .. .
`
`END NOTES & NEWS
`
`2
`
`3
`
`3
`3
`3
`
`4
`
`6
`
`8
`9
`
`1 1
`
`17
`20
`
`23
`
`24
`
`VIRUS BULLETIN ©1994 Virus Bulletin Ltd, 21 The Quad.-ant, Abin2don. Oxfordshire, 0XI4 JYS.
`England. Tel. +44 (0)1235 555139. /94/$0.00+2.50 No pan of this publication may be reproduced, stored in a
`retrieval s~stem , or u-ansmiued in any form witbout tbe prior wriuen pem1ission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`2 • VIRUS BULLETIN SEPTEMBER 1994
`
`EDITORIAL
`
`' ' Surely a user
`would like to know
`that a particular
`program is wrapped
`in an MtE decryption
`routine?''
`
`To Detect or Not to Detect. ..
`
`When is not a virus a virus ... or, put more simply, are there occasions when a virus scanner should
`label a file as infected, when it is not? The answer to this question seems obvious: virus scanners
`should detect files which are infected by a fully-functioning virus. However, is this what one
`actually wants a 'real world' scanner to do?
`
`Consider the following experiment. An innocuous file is encrypted using the Mutation Engine. The
`file is then virus-checked by a number of different packages. Each scanner will give one of three
`results. Firstly, the scanner might pass the file as clean. Secondly, the scanner might alert the user to
`the presence of the Mutation Engine code. Finally, the scanner may display a message informing the
`user that the file is infected with a virus. Clearly, the most useful statement is the second one.
`However, almost all scanners fall into either the first or the last category- the second statement,
`though factually accurate, is not a great deal of use to the user: can he run the file or not? The only
`way to find out is to analyse it, a task which will be beyond the scope of the casual browser.
`
`The experiment can be made still more complicated. Imagine a polymorphic virus which sometimes
`does not carry out its infection process correctly, adding a decryption routine to 'infected' files, but
`failing to add the encrypted virus code. Such a file will not replicate, and is therefore not a virus.
`However, there is a powerful argument that the user should be alerted to its presence.
`
`The current trend in the industry is a move towards precise or exact virus identification. ln many
`ways, this is highly beneficial, as disinfection can be carried out more accurately, and the user is left
`with a better picture of what potential effects the virus may have had on his system. With the advent
`of widely available polymorphic engines, the only way to identity exactly which virus a file is
`infected with is to decrypt the file and examine the code 'hidden' by the encryption. lfthis code is
`identified as a virus, then the file is deemed to be infected. lf it is not, the file is clean. This process
`is slow on infected files, but very quick on clean ones.
`
`All well and good ... except when the program encounters a file which has a valid decryption routine
`attached to it, but random code encrypted within it. ln such cases, some scanners will not label the
`file as infected. But is this action unnecessarily pedantic? Surely a user would like to know that a
`particular program is wrapped in an MtE decryption routine? This is critical in the case of the user
`who is attempting to clean up a system after an attack by a polymorphic virus. Here, the anti-virus
`software should identity all those files which contain the virus, or parts of it: that is, those files
`which have been altered.
`
`Vendors will quite justifiably point out that change detection is exactly what a checksummer does.
`However, the use of checksummers is hardly widespread, and one feels that there is something
`unnecessarily pernickety about the failure of a scanner to alert the user to fragments of viruses left
`scattered across the disk. lf files half-infected by a botched virus cannot be detected by the scanner,
`then it is time for a change of emphasis: the scanner and the checksummer should be combined in a
`way which is transparent to the user. The checksum information can then be used during a clean-up
`operation, to identify those executables which have been altered by the virus. lt should be noted that
`during clean-up, whether an altered program is a virus or a dysfunctional attempt at infection is
`immaterial to the user - all that matters is getting the machine operational as quickly as possible.
`Some products already use this two-pronged attack, but few seem to make the marriage of the two
`techniques as harmonious as it could be.
`
`Until the next generation of products is installed upon computers worldwide, the main line of
`defence against virus attack is the humble scanner. Here the question of 'to detect or not to detect' is
`still unanswered: some scanners can identity 'half-infected' files, and some cannot. So when is it
`acceptable to call something a virus when it is not? The current industry consensus on the matter is
`rather undecided, leaving those unlucky enough to be caught without a backup of their system
`blundering around in the dark. Anybody care for a light?
`
`VIRUS BULLETIN ID1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`VIRUS BULLETIN SEPTEMBER 1994 • 3
`
`NEWS
`
`Virus Prevalence Table - July 1994
`
`Honecker: The Last Laugh
`
`Virus
`
`Incidents
`
`{%)Reports
`
`The latest computer virus story to hit newspaper headlines
`worldwide is the ' Honecker virus' . Ihe virus triggers on 13
`A ugust (the anniversary of Erich Honecker's construction of
`the Berlin Wall), and displays a caricature of the late East
`German leader, complete with spectacles, on the screen.
`
`This is followed by a rendition of the national anthem of the
`former German Democratic Republic, and a message
`announcing the destruction of programs ' by order of the.
`Council of Ministers of the German Democratic Republic' .
`The next message reads: · Honni's last revenge -1' 11 be
`back' .lt then deletes theAUTOEXEC.BAT file.
`
`Analysis of the ' virus' shows that the program should
`probably be regarded as a Trojan, as it is incapable of
`spreading onto n oppy disk without actually being copied by
`the user. The virus is written in a high-level language, and
`creates a 52480-byte file calJed DOSI.NFO.EXE in several
`sub-directories of the fixed disk. The Trojan then adds code
`to the start of batch fi les on the disk to ensure that the
`program is executed. The program was distributed in an
`X-rated file, uploaded to German BBSs I
`
`Prism Reaches Out
`The NCS'A (National Computer Security Association) has
`announced the launch of a new program, Prism. Services
`provided by the program include access to on-line help,
`telephone help-desk support, the ' Underground Research
`Laboratory', the Virus Research Centre, magazines and
`newsletters, and national seminars and conferences with
`internationally-recognised experts in attendance. Members
`will also be warned by Email of any potential virus attack,
`and have the use of the product information service.
`
`The program is a logical solution to a resource problem:
`many corporate LT Managers suffer from an overload of
`unscreened information, and have to allocate considerable
`resources to filtering it. Prism is designed to carry out this
`filtering first, supplying information from a wide range of
`sources, without swamping the company in trivia.
`
`lts member-elected Advisory Council helps to determine the
`program's direction, assist in establishing special interest
`groups, provide input to educatjonal programs, and recom(cid:173)
`mend new or amended member services.
`
`Prism membership is offered to governn1ent and business
`organisations of all sizes through a multilevel pricing
`schedule, calculated according to the revenue of the com(cid:173)
`pany concerned. Membership starts at US$4,500.00. Further
`details are available from the NCSA, tel. + L 717 258 1.816,
`fax + 1 717 243 8642. The NCSA can also be reached on
`CompuServe as 75300,2557@compuserve.com I
`
`Form
`Spanish_ Telecom
`CMOS4
`Flip
`Green_ Caterpillar
`Green_ Caterpillar.B
`JackRipper
`Smeg.Pathogen
`Cascade
`Eddie_2
`Joshi
`New_Zealand
`New_Zea!and.l
`Nolnt
`PalityBoot
`Stoned.O
`Taiwan.2900.d
`V-Sign
`
`Total
`
`15
`6
`3
`2
`2
`2
`2
`2
`1
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`44
`
`34.1%
`13.6%
`6.8%
`4.5%
`4.5%
`4.5%
`4.5%
`4.5%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`2.3%
`
`100.0%
`
`ARCV Case Wrapped Up
`The case ofARCV, the UK-based virus-writing group
`Association for Really Cruel Viruses, has finally reached its
`conclusion (see Virus Bulletin, November 92, p.3). DC Noel
`Bonczoszek, at the time an officer of New Scotland Yard's
`Computer Crime Unit recently issued a statement saying that
`the President, Secretary and two couriers of the group had
`been identified, arrested, and were subsequently given a
`police caution. A fifth person was cautioned on another
`matter, while another arrested at the tin1e was released with
`no further action taken. However, no victims of viruses
`written by ARC V were identified.
`
`The statement goes on to thank the anti-virus community for
`their assistance. Commenting on the case, Bonczoszek (now
`attached to JviaJylebone CJD) said, ' a potentially serious
`problem was nipped in the bud.'
`
`The arrest and cautioning of members of A RCV is likely to
`be met with a mixed response from those in the rr industry.
`Although the virus-writing group was stopped in its tracks,
`the lack of convictions will be a source of irritation to some.
`Part of the reason for members ofARCV not being taken to
`court is believed to be the dearth of reports of their viruses
`in the wild, highlighting the need for those affected by
`viruses to report the attack to the appropriate authorities.
`The CCU can be contacted on Tel. 0171 230 1177 I
`
`VIRUS BULLETI N ©1994 Virus Bulletin U d, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No pan of this publication may be reproduced, stored in a reltieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`4 ·VIRUS BULLETIN SEPTEMBER 1994
`
`IBM PC VIRUSES (UPDATE)
`
`The following is a list of updates and amendments to
`the Virus Bulletin. Table of Known 1 BM PC Viruses as
`of20 August 1994. Each entry consists of the virus
`name, its aliases (if any) and the virus type. This is
`followed by a short description (if available) and a
`24-byte hexadecimal search pattern to detect the
`presence of the virus with a disk utility or a dedicated
`scanner which contains a user-updatable pattern library.
`
`Type Codes
`
`c
`D
`
`E
`
`L
`
`Infects COM files
`
`Infects DOS Boot Sector
`(logical sector 0 on disk)
`
`Infects EXB files
`
`Link virus
`
`1\1
`
`Infects Master Boot Sector
`{Track 0, Head 0, Sector I)
`
`N Not memory-resident
`p Companion virus
`
`R Memory-resident after infection
`
`ARCV.Christmas.678
`
`CR: This virus appears to be based on the same source code as the 670-byte ARCY.Christmas virus.
`Detected with the lce-9 pattern.
`
`Barrotes.1310.F
`
`CER: Detected with the Barrotes pattern, as is the 1310.G variant.
`
`Bupt.1220.C
`
`Burger.44.1.B
`
`Cascade.1701. T
`
`Chaos. I
`
`Chaos_Year
`
`Chris
`
`Chromo
`
`Cobra
`
`Cybertech.552
`
`Cybertech.l 066
`
`Dicker
`
`Fee !Bad
`
`Fifo
`
`Fileh ider .1 057
`
`Fission
`
`CER: Detected with the Bupt (Traveller) pattern.
`
`CN: Detected with the Burger pattern and the Virdem and Yirdem-fam patterns. lhe Yirdem patterns also
`match the Burger.382.C virus.
`CR: Detected with the Cascade( I) pattern, as are the 1701. U and 1701. V variants. The 170 I. Q variant
`requires a new searchstring, as the decryption loop has been modi'fied.
`Cascade.1701.Q
`018B D9EB 0446 4943 4180 B74D 01BC 8206 8134 F066 464C 75F8
`CER: Detected with the Chaos (formerly Spyer) search pattern.
`
`CER: An unremarkabl.e 1837-byte virus.
`Chaos_ Year
`3000 4B75 06E8 F102 E97B 0080 FC3D 7506 E84D 04E9 7000 80FC
`CR: This 463-byte virus contains the text '<CHRIS of S.i.t.> ·.
`Chris
`80FC 4B74 052E FF2E FC01 061E 5557 5652 5153 5090 901E 5231
`CN: A 406-byte virus containing the text ' [Chromosome Glitch] vl.O Copyright (c) 1993 Memory
`Lapse' . This virus may perhaps be reclassified as a member of a family which contains several other
`viruses by the same author.
`Chromo
`CCC6 8699 0200 C686 9A02 OOEB OOB4 4EB9 FF01 8D96 5602 CC3D
`CN: A 400-byte virus which prepends itself to the ftles it infects. It contains the text '-Cobra Cou-'.
`Cobra
`A19A OOA3 1B01 E80C OOB4 4FCD 2130 1200 7402 EBBO C3B9 0500
`CN: This virus uses variable encryption, and no searchstring is possible. The following text is present
`within the decrypted code: ' Mourners of a dying world. Too late to reconcile. Into Everlasting fire. Can't
`you see it's Satan's world.'
`
`CN: Another encrypted variant, but the decryption loop is constant. There is also a 1228-byte variant by
`the same author.
`E800 0050 83ED 0750 8DBE 1BOO 89FE B913 04AC 34?? AAE2 FA
`Cybertech . 1066
`E800 005D 83ED 0750 8DBE 1BOO 89FE B9B5 04AC 34?? AAE2 FA
`Cybert ech . 1228
`CR: A 400-byte virus which prepends itself to infected files.
`Dicker
`80FC 9075 03BB 9900 3DOO 4B74 052E FF2E 3401 9C50 5351 5206
`CN: This 1124-byte virus probably originated in the Netherlands. Its name derives from the text 'we feel
`bad about Ritzen ·.
`B840 008E D8BB 6COO 8A07 1F24 033C 0375 06BB 7804 E801 OOC3
`Feel Bad
`CR: A 300-byte virus containing the text 'FIFO'.
`Fifo
`80FC 3674 03B9 0300 5053 5152 1E06 55B4 19CD 2150 FECA 7804
`CR: Detected with the filehider (789) pattern. Similar to a 1067-byte variant reported in July 1993.
`
`CER: A 5 17-byte virus containing the text '[Binary Fission) v 1.0 [MUPS]'. The text indicates that it is
`written by the same person who wrote Chromo.
`3000 3074 2830 0130 7423 3002 3074 1E3D 0043 7419 3001 4374
`Fission
`
`VIRUS BULLETIN ©1994 Virus Bulletin Ud, 21 The Quadrant, Abingdon, Oxfordshire, OXI4 3YS, England. Tel. +44 (0)1235 555139./94/$0.00+2.50
`No pan of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`VIRUS BULLETIN SEPTEMBER 1994 • 5
`
`Flip
`
`Flue
`
`CER: Three variants of Flip (2153.E, 2153.G and 2365) have not been mentioned before. Like other Flip
`viruses, they cannot be detected with a single, simple searchstring, but programs capable of detecting
`earlier Flip variants should also be able to detect these.
`
`CN: A variable-size virus ( 1179 bytes long or more) using variable encryption.
`
`Friday_ the _13th.416.C
`
`CN: An unremarkable minor variant ofthis virus, requiring a new searchstring.
`
`FF36 0201 FF36 0401 B43F B903 OOBA 0201 CD21 725F AOOE 0138
`Friday_l3th.416.C
`Green_Caterpillar.l575.H CER: Detected with the Green_Caterpillar (1575) pattern.
`
`IVP
`
`CN, CEN: Three new lVP-generated viruses are known: 260 (CN), April (1676) and Mandela.943.
`
`Jerusalem.Sunday.L
`
`CER: An unremarkable 1636-byte variant, detected with the Jeru-1735 pattern. The same pattern will also
`detect the new 2064-byte Jerusalem.Tarapa.C virus.
`
`Keypress.1232.
`
`CER: Detected with the Keypress pattern.
`
`Leprosy .Busted.572
`
`Necropolis.C
`
`PS-MPC
`
`Trivial
`
`EN: Yet another member ofthis family of primitive overwriting viruses.
`Leprosy.Busted.572 8BOE OC02 51E8 1000 5BB9 3C02 90BA 0001 B440 CD21 E801 OOC3
`CEN: Very similar to the other two known variants; detected with the Necropolis ( 1963) pattern.
`
`The appearance of the following PS-MPC viruses should not be a surprise to anyone: 339.F (CN), 347.K
`(CN), 352.M (CN), 574.E (CEN), 578.H (CEN), Alien.733 (CER), ARCV-4.742 (CEN), Asstral (EN,
`753), G2.Mudshark.312 (CN), Joshua.964 (CEN), Shiny.934 (CN), Sucker (CR, 572), Tester (CN, 302).
`
`CN: There is a constant trickle of new small overwriting viruses which do nothing but replicate. Due to
`their small size, the patterns are shorter than normal, and should be used with care.
`
`Trivial.25.B
`BA9E OOCD 212A 2E2A OOB7 4087 Dl93 EBF3
`Trivial.29.B
`21BA 9EOO B802 3DCD 2193 5AB4 40CD 21C3
`Trivial. 30 .G
`218B D8B4 40Bl lEBA 0001 CD21 2A2E 2AOO
`Trivial. 33
`2193 BAOO 01B4 40CD 21C3 2A2E 434F 4DOO
`Trivial.37
`0001 CD21 B43E CD21 B44F EBE4 2A2E 2AOO
`Trivial. 38 .B
`BAOO 01B9 2600 CD21 CD20 2A2E 636F 6DOO
`Trivial. 39 .B
`B440 CD21 B43E CD21 B44F EBE2 2A2E 2AOO
`Trivial.42.F
`21B4 3ECD 21B4 4FEB E2CD 202A 2E63 2AOO
`Trivial.42.G
`CD21 B43E CD21 B44F EBEl 2A2E 636F 6DOO
`Trivial.43.B
`B43E CD21 B44F CD21 73E4 C32A 2E63 2AOO
`Trivial.43.C
`B92B OOBA 0001 CD21 CD20 2A2E 636F 6DOO
`Trivial.45. E
`7473 7920 7275 6C65 7321 202A 2E43 2AOO
`Trivial.54
`EBEO 2E2E OOB4 3B5A BA28 OlCD 2173 CBC3
`CR: Almost identical to the C variant. Detected with the Troi pattern.
`
`CN, PN: Several VCL-generated viruses have appeared recently: 609, Beepop (PN, 587), Bigtime (676),
`Butthole (overwriting, 493), Dumbco (3808), Genesis (741), Gif(696), Renegade (5737) and Westward
`(657). Most are encrypted, and should be detected as other VCL viruses: Westward is not, and is detected
`with the VCL.VoCo pattern.
`
`Troi.E
`
`VCL
`
`Vienna.648.0scar
`
`CN: Three 648-byte variants have been found recently, all of which contain the text '(C) OSCAR'.
`Variants A and Care detected with the interceptor pattern, but B requires a new pattern.
`
`Vienna.778
`
`Vienna.648.0scar.B B903 008B D690 83C2 ODCD 218B 5406 8B4C 0483 ElEO 83C9 1D90
`CN: Detected with the Dr_ Q pattern.
`
`Vienna. Violator. 707 .B
`
`CN: Detected with the Violator pattern.
`
`Vienna.Violator.5286.B
`
`CN: Detected with the Xmas_ Viol pattern.
`
`Xph.1010
`
`YB.316
`
`YB.466
`
`YB.647
`
`CER: Similar to the two variants reported earlier.
`Xph.lOlO
`3DOO 4B74 0580 FC3D 7553 2EC6 060C 0401 8BFA 4774 4280 3DOO
`
`CN: This virus is also known as Silent Runner, as it contains the text 'Silent Runner by Nostradamus
`[NuKE'94]'. It is 316 bytes long, and has not been fully analysed.
`
`B802 3DCD 2193 B905 008D 9408 01B4 3FCD 2172 218B 842B 0105
`YB.316
`CN: This virus contains the text 'YB-1 & Handsome Dick Manitoba I Kohntark', indicating that it is by
`the same author as the KAOS4 virus.
`YB.466
`B802 3DCD 2172 2F93 B905 008D 9494 01B4 3FCD 2172 218B 84Cl
`CN: A related virus, containing the text 'YB-2 I Kohntark'.
`
`YB.647
`
`B802 3D9C FF9C 6801 72E3 93B9 0500 8D94 5F01 B43F 9CFF 9C68
`
`VIRUS BULLETIN ID1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`6 • VIRUS BULLETIN SEPTEMBER 1994
`
`INSIGHT
`
`KAOS on the
`Superhighway?
`
`Virus Bulletin readers will have noticed the short 'Stop
`Press' notice regarding the KAOS4 virus which was
`included in last month's edition. One month on, it now
`appears that the spread of the virus has been checked by a
`prompt response from anti-virus software manufacturers and
`members of the internet user community. However, there is
`no doubt that, were it not for the ineptitude of the virus
`writer, a great deal more damage could have occurred.
`
`With companies climbing over each other in a scramble for
`increased connectivity, the incident provides an ideal
`opportunity to review some of the risks associated with
`internet access.
`
`Navigating the Internet?
`
`One of the biggest misconceptions about the internet is that
`it is actually run or controlled by a single body. However,
`given that there is a blurred definition of what the internet
`actually is, this may require some further explanation.
`
`Simply put, the internet is a communications network. This
`may sound rather unimpressive, but estimates of the num(cid:173)
`bers of computers attached start at a highly conservative
`million, with more computers being added at a rate of
`hundreds or thousands a day.
`
`The internet consists of a number of sub-networks. Often
`these sub-networks are publicly funded, and have owners
`who recognise that adding connections to other networks
`enhances their functionality. Thus, as its name implies, the
`internet is simply a network of networks.
`
`One of the most visible uses of the internet is for sending
`and receiving Email. Although only text can be transmitted
`via Email, it is possible to encode binary files as text,
`allowing executables to be transferred quickly and cheaply
`worldwide. This provides a way for potentially infected files
`to enter a system. Unfortunately, such ways are legion.
`
`Newsgroups
`
`ln the case of the KAOS4 virus, an infected file encoded as
`text was posted to the internet newsgroup
`alt.binaries.pictures.erotica. That file was downloaded by a
`number of users, and once on their own machines, decoded,
`and reconstituted into an executable file.
`
`The internet newsgroups (known as Netnews or Usenet) are,
`just like the internet, not run by any individual body.
`Rather, they have evolved out of a messaging system
`
`originally designed to deal with a handful of computers
`linked together in a U UCP (Unix to Unix Communications
`Protocol) network. However, as time (and technology)
`marched on, this system became unacceptable, and the
`present system was created.
`
`lt was later decided to divide the newsgroups into sub(cid:173)
`groups. The most common of these are:
`
`comp
`
`news
`
`sci
`
`rec
`
`talk
`
`mise
`
`discussion of computers
`
`discussion of news groups and news
`
`scientific discussion
`
`recreational discussion (e.g. pyrotechnics,
`chess, cycling)
`
`issue-related discussion (e.g. politics)
`
`miscellaneous topics.
`
`This event created tension within the Usenet community,
`which in turn led to the birth of the 'alt' newsgroups (with
`alt standing for alternative). Even more so than the main(cid:173)
`stream newsgroups, the alt hierarchy is completely anarchic,
`and contains a wide variety of topics, with groups ranging
`from alt.hackers to alt.swedishchef.bork.bork.bork.
`
`Also included in the alt newsgroups is the 'erotic' picture
`group alt.binaries.pictures.erotica ( abpe ). Such news groups
`contain many megabytes of scanned GlF or JPEG files of
`dubious origin, as well as animation programs or picture
`viewers. As an interesting aside, the news group abpe is
`responsible for a significant chunk of the network traffic
`which makes up Usenet.
`
`Regulatory Bodies
`
`The above discussion may make Usenet sound chaotic, but
`that would not be an unfair description. lt is possible to post
`to Usenet anonymously, and (especially in the alt newsgroup
`hierarchy) there is no filtering or checking of the contents of
`messages. Thus, downloading any executable file from
`Use net is a game of chance: although it is likely that the file
`is exactly what it claims to be, there is a remote possibility
`that it will contain a Trojan horse or a virus.
`
`One might think that a virus author would be insane to post
`a new virus, as this would reveal his identity. Unfortunately,
`this is not the case, as Usenet posts can be easily faked and
`forged. This means that the virus author could disguise a
`new virus as a utility, and anonymously post the item to the
`news group. Fortunately, this is very rare.
`
`The user who posted the file infected with KAOS4,
`Sexotica, claims that he did not know that it was infected.
`This is the case for most of the viruses which have cropped
`up on the internet so far.
`
`VIRUS BULLETIN ID1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`As postings to Usenet cannot be trusted, it is worth consider(cid:173)
`ing other sources of information on the internet. One ofthe
`most popular methods is gopher - this is a program which
`allows inexperienced users to find information or files on a
`particular topic by searching a simple text-based menu
`system. Such systems generally allow the user to hop across
`the globe from site to site, homing in on the area of interest.
`
`Another source of information is ftp sites: large software
`collections containing many Gigabytes of files, usually
`operated and maintained by universities or colleges. Unlike
`postings to Usenet, uploaded files are generally placed in a
`secure area, so that the system manager can check their
`contents and suitability before allowing other users to access
`them. Ftp sites can be accessed quickly and easily, and
`generally do not require the use of a password for access.
`This provides a certain level of anonymity.
`
`"one of the first rules for avoiding
`virus infection via the Internet is
`exactly the same as for general
`PC use: do not use software of
`unknown origins"
`
`Although ftp sites are an excellent source of information,
`and often represent well-maintained and catalogued software
`collections, the same problem of accountability still exists.
`The ftp site will not always have been sent the file by the
`author of the package (and even if the site believes that it
`has been, this is not always easy to prove), so it is still
`possible that a file could be Trojanised in some way.
`
`Other forms of file distribution on the internet are similarly
`unreliable. Personal Email is trivial to forge (ask any first(cid:173)
`year computer scientist for a demonstration), and can be
`done automatically by several programs or Unix scripts.
`
`Fighting Back
`
`The preceding information brings little cheer to the average
`computer user. However, all is not doom and gloom, as
`many individuals and companies have begun to search for
`ways in which to make use of the many benefits of internet
`access more secure.
`
`One of the first rules for avoiding virus infection via the
`internet is exactly the same as for general PC use: do not use
`software of unknown origins. ln the case of the internet, this
`will include ftp sites, and more importantly, software
`encoded as ASCll posted to newsgroups. Obviously such
`paranoia can only be taken so far. However, for a large
`network, it seems prudent to follow the oft-stated rule of
`obtaining software only from trusted sources. The ftp sites
`maintained by a number of anti-virus software manufactur(cid:173)
`ers are obviously somewhat more reliable, and can be used
`(with the simple caveat that one can never be completely
`certain when communicating over the internet).
`
`VIRUS BULLETIN SEPTEMBER 1994 • 7
`
`ln order to offer some sort of message authentication system,
`several encryption programs have been developed. The most
`popular, PCP (Pretty Good Privacy) uses a Public/Private
`key system, so that without a user's private key, it is
`impossible to fake messages which appear to be from him.
`Additionally, a message can be sent in such a way that it can
`only be decrypted by the recipient. Solutions to the problem
`of mail and file tampering by programs like PCP are
`becoming more common, as users begin to see first hand
`evidence of forged 'joke' postings.
`
`Apart from encryption systems, most commercial networks
`connected to the internet have an internet Firewall set up.
`Although this is principally designed to deter potential
`hackers, the Firewall can also be configured to prevent users
`accessing various services and features provided by the
`internet. The most draconian solution would be to provide
`access only to Email. Unfortunately even this is not com(cid:173)
`pletely effective: several newsgroups also exist in list form,
`and there are numerous ftp mail servers which can send files
`to users via Email.
`
`Conclusions
`
`From a purely virus-related point of view, the internet
`provides nothing but trouble. However, these problems are
`notlnternet-specific: they apply equally to any route by
`which files can enter a company.
`
`Files which are posted on the internet are not automatically
`downloaded by unsuspecting users: the user has to access
`the file, decode it, and run it, for there to be any danger to
`the host system. Therefore enabling Email is not a risk per
`se, as the user has to take quite deliberate action in order to
`spread a virus. As GUls to the internet grow in popularity,
`this may not always be the case - soon, files may be auto(cid:173)
`matically extracted and restored to their original form.
`
`Of all the ways in which a virus can enter a company, Email
`and internet access probably rank as two of the lower
`threats. However, on a global scale it does make a very
`tempting target, as it allows a reasonably anonymous way to
`distribute virus code. Therefore, it is important that the usual
`precautions for dealing with programs are followed.
`
`When made internet-specific, these are:
`
`• Do not use software of doubtful origin (e.g. executable
`files from public ftp archives and Usenet postings).
`
`• Scan all incoming software. Note that most scanners
`cannot search a binary file encoded as a text file; there(cid:173)
`fore the file must be decoded first. Some internet
`Firewalls can be configured to do this automatically.
`
`• When transferring executable code or confidential
`information, always use a message authentication or
`encryption system.
`
`These rules, if followed as part of a general policy, will
`provide an excellent preventative against viruses via Email
`or the internet. Ignore them at your peril!
`
`VIRUS BULLETIN ID1994 Virus Bulletin Ltd, 21 The Quadrant, Abingdon, Oxfordshire, OX14 3YS, England. Tel. +44 (0)1235 555139. /94/$0.00+2.50
`No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
`
`Blue Coat Systems - Exhibit 1019
`
`
`
`8 • VIRUS BULLETIN SEPTEMBER 1994
`
`VIRUS ANALYSIS 1
`
`KAOS4: A Sexually
`Transmitted Virus?
`
`The KAOS4 virus gained notoriety through its posting to the
`internet newsgroup alt.binaries.pictures.erotica. Although
`KAOS4 has, as a result of this method of distribution,
`become widespread, it appears to be a relatively simple,
`non-resident COM and EXE file infector, designed to avoid
`detection by heuristic scanners.
`
`A Simple Plague
`
`KAOS4 is a rather primitive virus, which makes no attempt
`to hide its presence, either during or after execution of a file.
`As the virus does not become memory-resident, no stealth
`routines are included, and, excepting encryption of some
`text strings stored in the virus code, disassembly proved to
`be trivial. lt will be stopped by any behaviour blocker, and
`any of the popular checksumming programs should be able
`to detect its presence.
`
`Infection and Operation
`
`The virus infects COM files by appending its code to the
`host file. When such a file is run, the virus receives control
`after execution of the starting JMP instruction, and some
`effort is made to restore the program's original registers
`before processing continues. No attempt is made to armour
`the code against disassembly, and the entire virus was pulled
`apart in a matter of hours.
`
`The virus then sets up