From: Ian Whalley <ian@virusbtn.com>
Date: Wed, 22 Nov 1995 03:07:56 +0800
To: cypherpunks@toad.com
Subject: Re: Virus attacks on PGP
In-Reply-To: <199511211743.JAA06639@ix8.ix.netcom.com>
Message-ID: <199511211832.SAA12002@elbereth.sophos.com>
MIME-Version: 1.0
Content-Type: text/plain


>>Could a virus write to a write-protected disk?  I'm not sure if the
>>protection is done in the BIOS or the drive hardware.
>In the drive hardware.

In certain rare cases, drive hardware fails in such a way to allow
write access to write-protected diskettes - I have one such machine
here.  This appears to happen more often in 5.25" drives - perhaps
this is simply because most of the ones I come in contact with are
older than the 3.5" ones.

This is not a suitable viral attack, however, least of all against
a specific target like PGP.  However, viruses attacking specific
programs are well-known, both in concept and actuality - take
AntiEXE, which will corrupt certain sector reads if the sector
starts with a given byte pattern.  In a similar way it would be possible
to attack PGP, at least on DOS platforms.   However, it would be
dependent upon compiler used/version of PGP/etc etc, and only
work in a few cases.

More likely is something which waits to see when a certain program
is run (let's say PGP :-)), and records keystrokes (keyphrase,
anyone?).  Then it takes a copy of the secret key file along with
the keyphrase, and is able to do whatever it likes with them.

Slightly off-topic, for which I apologise, but there we go.

I.

---------------------------------------------------------------------
| Ian Whalley, Editor,   |    Phone/Fax : +44-1235-555139/531889    |
| Virus Bulletin,        |    DDI       : +44-1235-544039           |
| 21 The Quadrant,       |------------------------------------------|
| Abingdon Science Park, |    PGP key   :   2A 02 96 E5 5D 77 4C 8D |
| Oxon, OX14 3YS, UK.    |  fingerprint :   EB 22 14 6F E0 3B A0 D3 |
---------------------------------------------------------------------