From: Thomas E Zerucha <zerucha@shell.portal.com>
To: Norman Hardy <norm@netcom.com>
Message Hash: 7b4073398d7a0f444ea322aed1db43f9efb5d770ee551d03daa2c1a1c6cefe97
Message ID: <Pine.SUN.3.90.951126111730.22642A-100000@jobe.shell.portal.com>
Reply To: <acdc55c10202100472f8@DialupEudora>
UTC Datetime: 1995-11-26 19:54:03 UTC
Raw Date: Mon, 27 Nov 1995 03:54:03 +0800
From: Thomas E Zerucha <zerucha@shell.portal.com>
Date: Mon, 27 Nov 1995 03:54:03 +0800
To: Norman Hardy <norm@netcom.com>
Subject: Re: Virus attacks on PGP
In-Reply-To: <acdc55c10202100472f8@DialupEudora>
Message-ID: <Pine.SUN.3.90.951126111730.22642A-100000@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain
On Fri, 24 Nov 1995, Norman Hardy wrote:
> At 2:46 PM 11/24/95, Thomas E Zerucha wrote:
> ....
>
> >It takes quite an effort to create a complex virus to do this. It
> >reminds me of the Glomar Challenger that was used to recover the remains
> >of a russian sub (my memory is somewhat faulty). Such a virus would
> >require a great investment in time and money. What target would be worth it?
> >Many otherwise feasible things aren't economically pracitcal.
>
> Yes, but if your particular habits became widespread, an intelligence
> agency could amortize the virus effort across many victims.
>
> Here is just one such complicated virus:
> Sit in the OS watching for PGP to be launched. Patch PGP on the way in. The
> patch writes to disk the location and password for the secure key ring.
> Concurrently the virus watches for there to be IP service and sends the
> disk information as a UDP.
The virus is starting to get large and noticeable. First, I alternate
between a.out and ELF (and DOS .EXE). It doesn't have to patch pgp, just
look for it to be loaded and teh secring file accessed. Then record
keystrokes. This would also work with a hardware implementation if the
secring passphrase is external (as opposed to an external keypad).
This is what can be done when PGP is used for communication. For other
info, I can isolate a computer (no modem, unroutable IP addresses, etc).
Of course our firewall is a socks server and doesn't forward UDP. Maybe
a socksified, SSL virus? My computer is attatched that way far more than
via modem. And maybe I should just nuke (or modularize) UDP? You can do
interesting things with kernel source.
> Alternatively the virus waits for idle time, (screen saver time) and dials
> an 800 number having turned off the modem speaker. But don't send the same
> data twice!
That woudl be interesting - even with the speaker "off" the power surge
causes clicking and other signs. Not to mention that the interrupt count
would start moving (of course the virus could replace the entire OS and
would only have to find 300K chunks to hide in).
Were they that interested, they could place a surveillence device over my
desk (I don't know if they can pick up the scan on LCDs like they can on
monitors - I am suprised they didn't put the kybosh to the FCC emission
rules). Maybe I can move my desk, or my pgp station inside our EMI
testing faraday cage :).
zerucha@shell.portal.com -or- 2015509 on MCI Mail
finger zerucha@jobe.portal.com for PGP key
Return to November 1995
Return to “Thomas E Zerucha <zerucha@shell.portal.com>”