1993-08-15 - Encrypting Viruses…. good idea?

Header Data

From: IE63@vaxb.acs.unt.edu
To: cypherpunks@toad.com
Message Hash: fe5d3630fe0789de64f88cf06eefbc9041132f0837b0a4a123ef2c93bb7e8960
Message ID: <01H1QX6LHQPE0029G2@vaxb.acs.unt.edu>
Reply To: N/A
UTC Datetime: 1993-08-15 00:56:47 UTC
Raw Date: Sat, 14 Aug 93 17:56:47 PDT

Raw message

From: IE63@vaxb.acs.unt.edu
Date: Sat, 14 Aug 93 17:56:47 PDT
To: cypherpunks@toad.com
Subject: Encrypting Viruses.... good idea?
Message-ID: <01H1QX6LHQPE0029G2@vaxb.acs.unt.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

>Speaking of cryptostacker and beneficial viruses that encrypt files for you
>in the background, I just got a copy of one in the mail!  I think this may
>be of interest to the group, so I am posting.
                        .........
>I can't seem to find mention of what the fast/casual encryption algorithm
>is.  Instead of source code, a hex listing is provided.  According to
>further notes, there is a hot-key for toggling floppy encrypt, and another
>hot key to uninstall from the hard drive.
>
>All the same, if I get a chance this weekend I'll probably try it
>out!

        Well, good luck with it.  I'd personally like to see/do a disassembly
of the _entire_ virus before I would install it - security systems are great 
for back doors, and a virus would be GREAT for such.  There are a few things
anyone using this program might want to watch for (I have yet to see it,
though I'd be VERY interested in disassembling it....  anyone out there 
with a copy that wouldn't mind sending it _ENCRYPTED_ through E-mail? 
Full commented disassembly returned to sender ASAP!):

        1.)  Some anti-virus programs with heuristics are going to have a
             cow, most likely - CES, F-PROT, TBSCAN are a few that are likely
             (especially VIRSTOP from F-Prot - if I'm wrong, tell me...)
             and these are some of the best out there for personal protection
             (sorry SCAN & CPAV).

        2.)  I'd recommend NOT using it if you have a special master boot
             record, like Windows NT or some boot-based security systems
             or multiple boot choices.  There are 9 sectors free at the 
             beginning of most IBM hard drives, I assume this virus uses 
             the first sector and 1/more of the others.....  if another 
             program wants to use these as well - I'd bet the virus doesn't 
             notice until too late.
        
        3.)  Watch where the virus puts itself on floppies.  If it is larger
             than 512 bytes (almost have to be for its functionality) then
             there are only three ways I know of to put additional code in:

             a.) Mark sectors bad, and place code there.
                 Problem: DON'T "FIX" BAD SECTORS ON YOUR DISK WITH NORTON!

             b.) Use space after root directory entry and FAT to put virus
                 in, just like the Stoned virus.
                 Problem: Trashes data if there are more than 80 files in the
                          root directory.  Also sometimes causes other 
                          problems with High-Density disks....
                          And, if a new format of disk comes out - WATCH OUT!

             c.) Format extra tracks on the floppy - these tracks are rarely
                 very reliable - you might loose information if these
                 tracks give out, depending on the setup of the virus you
                 might loose the disk.

             d.) This method I haven't seen, but I guess it could happen -
                 create an actual file and allocate it from the FAT....
                 this might actually be safe, as long as the virus didn't
                 let anyone delete it or write over it.

        4.)  Watch where it locates itself in memory: most likely it will
             lower the memory in BIOS before DOS gets loaded (CHKDSK will
             inform you that you have <640k low memory rather than the 
             usual 65536 bytes....) which is generally relatively safe if
             the computer has a standard config.  It may cause problems
             depending on where/how/when it allocates memory, though.

        5.)  What happens when you bypass Int 13h (which is presumably what
             it hooks) and use absolute disk I/O by directly using the
             driver?  Careful with Norton and other diskfix programs 
             that _might_ do this at times.....

        6.)  Don't press 'DISINFECT' from your favorite AV program
             without decrypting your disks first...........

     My bottome line is this: the virus may be cool, but why a virus?
Viruses may work for attacking things, wiping stuff out, hacking stuff,
whatever (although they always tend to hit more than the intended target,
funny thing about that), but when the only user of a machine WANTS to do 
something with their machine, why a virus?  I mean, honestly......  although
I must admit, it solves the problem of distribution of software in
the most interesting way - I want to see what happens if a commercial
company writes one of these and COPYRIGHTS it......

"This program may only be used by the original purchaser.  Any unauthorized
 copying, lending, or any other method of distribution is STRICTLY 
 PROHIBITED!  Violators will be prosecuted to the full extent of the law!
 You want I should infect this here hard drive? huh? huh? (Y/n)?"
 
 "BTW - if you're reading this message and did not buy this software, then 
 we'll be sueing you in two weeks, your modem just dialed our mainframe."

I suppose I may be being a bit judgemental, as I am speaking simply from
the letter quoted above, but still......  it sounds very reminiscent of
Fred Cohen's compression virus.....

My Public Key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a

mQCNAixUuYYAAAEEAKNllAee26qGqxJck3Bftdkrz0MUQLABGMZqVem9UW9kjjS+
rMAafauqYTE5/Kdnx+4Asj0Wgfon0YBtRMT0crMcBYNqVp4//RUh7wrxQNvKFeeO
ZGuQp2hyHQqh1FDfWsHG4ldGqIV1YuOXq6oeIDkmbwgf8BRgPcZkwUqsF4b1AAUR
tCpNaWNoYWVsIEEuIEVsbGlzb24gPGllNjNAdmF4Yi5hY3MudW50LmVkdT4=
=0rss
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLG2BMcZkwUqsF4b1AQGe+wP+OeEKZd71ObybB4RuWa6rg761g0sNIqza
L733m6EJkuxTzy0c9TwVO+S1+QXiI44O85QOA7dc84YQ0Y65Y6yEzudSSlFAN6UB
CpjOQkia18ruY1CXY6mXsCAiNotWHzm2hcXASWLXXXkJi37jnfAOp3N+xWSk2+g6
Zm+0zgWa6hg=
=YSOp
-----END PGP SIGNATURE-----





Thread