-----BEGIN PGP SIGNED MESSAGE-----
___ __ __ _ ___ __ __ __ __ __
/ | /_\ / |\ | / \ | |_ /_
\___ __|__ / \ \___ | \| \__/ | |__ __/
Number 95-11 August 10, 1995
This edition of CIAC NOTES includes:
1) FIRST Conference
2) Virus Update
3) Hats Off to Administrators
3) America On-Line Virus Scare
4) SPI 3.2.2 Released
5) The Die_Hard Virus
Please send your comments and feedback to ciac@llnl.gov.
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
$ Reference to any specific commercial product does not necessarily $
$ constitute or imply its endorsement, recommendation or favoring by $
$ CIAC, the University of California, or the United States Government.$
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
=========================================================================
1) FIRST Conference
=========================================================================
The 7th annual FIRST (Forum of Incident Response and Security Teams)
Conference, scheduled for September 18th through the 22nd, is fast
approaching.
This year it is being held in Karlsruhe, Germany. For more information
about the conference, and all that this area has to offer, see
http://ciac.llnl.gov/ciac/FIRST95.html.
Some of the exciting sessions this conference has to offer include:
- - What Every Manager Needs to Know About the Internet,
by Sandy Sparks, CIAC
- - Tools for Incident Handling,
by Danny Smith, AUCERT
- - Experiences with SATAN,
by Wietse Venema, TU Endhoven
- - And Many, Many More....
=========================================================================
2) Virus Update
=========================================================================
The July 1995 issue of Virus Bulletin contains a listing of most commonly
reported viruses. According to them, the Form, Parity_Boot, and
AntiCMOS virus make up 42% of all reported viruses. Here is a quick
description of each, all which have been seen in the DOE:
Form (18.3%) - A boot sector virus that randomly destroys files.
Parity_Boot (12.0%) - A memory resident boot virus that infects floppy
disk boot records and hard disk parition tables.
AntiCMOS (11.4%) - A primitive floppy disk boot sector and hard disk
parition sector infector. It is buggy and causes unintentional hangs
as well as leaving its intended payload.
AntiEXE.A (8.6%) - This virus hides in the boot sector of a floppy disk.
It is not known to be destructive, but it does have an ominous name. Some
anti-virus programs refer to it as the Generic Boot virus.
=========================================================================
2) Hats off to Administrators
=========================================================================
Being a system administrator is no easy job. They are constantly faced
with a huge number of complex issues, such as irate users,
tempermental networks, and troublesome hackers. So, in appreciation of
these hard workers, here is a Top Ten List of things users DON'T want
administrators to say:
10) "Why is my rm * .o taking so long??"
9) We prefer not to change the root password, it's an nice easy one
8) YEEEHA!!! What a CRASH!!!
7) We don't support that. We WON'T support that.
6) System coming down in 0 min....
5) It is only a minor upgrade, the system should be back up in
a few hours. ( This is said on a monday afternoon.)
4) Nobody was using that file /vmunix, were they?
3) find /usr2 -name nethack -exec rm -f {};
2) Just add yourself to the password file and make a directory...
And the number one thing you don't want your system administrator to
say is....
1) Go get your backup tape!
=========================================================================
3) America On-Line Virus Scare
=========================================================================
Because of the high rate of virus rumors on the Internet, CIAC has
avoided making official bulletins on them. But, many were concerned
about rumors of a "BUPT" virus on AOL's installation diskettes. Here
is the official response from AOL regarding this rumor:
========================Begin AOL Response======
AOL Statement regarding BUPT virus
Dear Member:
We have received several inquiries over the last couple of days regarding a
rumored "BUPT virus" on new AOL registration diskettes that are being
distributed.
We have never had an occurence of a virus through the installation of AOL's
registration diskettes. AOL uses a very careful and quality ensured process
to duplicate its registration diskettes. While there has been quite a bit
of rumor regarding this "BUPT virus, AOL has not been able to confirm a
single incident of a member getting this virus when installing AOL software
and registering as a member.
We recommend that our members safeguard their computers against any viruses
that could potentially be received from using software applications. We
suggest that you visit the Virus Center on AOL, keyword: Virus. This area
is where you'll find information about the latest virus or trojan horse,
along with updates to all the popular commercial, shareware, and freeware
anti-virus tools.
Warm Regards,
America Online
=======================End AOL Response=====
=========================================================================
4) SPI 3.2.2 Released
=========================================================================
The Computer Security Technology Center at Lawrence Livermore National
Lab announces the SPI 3.2.2 Maintenance Release. The Security Profile
Inspector (SPI) is designed to assess the security of varied UNIX
computer systems.
This SPI release highlights stronger default password testing, and
improved installation allowing NFS-sharing of SPI executables.
Free SPI distribution is restricted to DOE, DOD, and to other
sponsoring agencies and their integrated contractors. Others must
obtain SPI via the Energy Science & Technology Software Center
(ESTSC.) Distribution details may be obtained by anon-FTP of
ciac.llnl.gov in the pub/spi directory, or email to spi@ciac.llnl.gov.
(Refer to the document "ACCESS" details.)
This work is performed under the auspices of the U.S. Department of
Energy by Lawrence Livermore National Laboratory under Contract
W-7405-Eng-48.
*** Visit SPI WWW at http://ciac.llnl.gov/cstc/CSTCProducts.html#spi ***
*** Send mail to ciac-listproc@llnl.gov and subscribe to spi-announce ***
=========================================================================
5) The Die_Hard Virus
=========================================================================
The Die_Hard or DH2 virus has been seen at a DOE site, so users
sharing PC software with other DOE sites should watch for it. The
virus only infects executable files (.COM and .EXE) so data disks,
that contain no executables, will not carry the infection.
*** Note that VirHunt 4.0E does not detect it! ***
As far as we know, the virus does not intentionally damage a machine,
it only replicates itself by infecting other executable files. We have
seen it lock up a machine while infecting COMMAND.COM. It is a memory
resident virus that reduces the memory available by 9232 bytes. Die
Hard infects all executed or opened .COM and .EXE files. Infected
files grow by exactly 4000 bytes.
Because the DOE site licensed scanner (VirHunt) does not detect this
virus and a new site license for a PC virus scanner is currently being
negotiated, users will have to use other products to scan and remove
this virus.
The shareware programs F-PROT v. 2.18e, ThunderByte Antivirus v. 635,
and SCAN v. 224e detect and remove it, as should most other up-to-date
commercial and shareware products. These three scanners are available
at most shareware sites and on the CIAC Archive. The virus was
discovered in 1994, so scanners older than a year will not detect it.
Another way to remove the virus is to use its own stealth capabilities
against it. When an infected file is opened by another program, the
memory resident virus removes the virus from the file as it is being
read to make it appear uninfected, even though the file on disk is
infected. To remove the virus, boot with a clean locked floppy, then
run and quit an infected program to put the virus in memory. The virus
is in memory, but can not infect any files on the locked boot
floppy. The virus will infect any executable file on the hard drive if
you try to run the file. Copy any infected .COM or .EXE files,
changing the file name extensions to something non-executable, such as
.COV or .EXV. The memory resident virus will remove the infection from
the infected files as they are being copied, but will not infect the
copies because they are not executable files. Reboot the computer with
the clean, locked floppy to remove the virus from memory, delete the
infected files, and then change the extensions on the copies back to
their original names.
============================================================================
- -----------------------------------
Who is CIAC?
CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:
. Incident Handling Consulting
. Computer Security Information
. On-site Workshops
. White-hat Audits
CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams
worldwide. See FIRST for more details (http://www.first.org/first/).
CIAC services are available for fee to other Federal civilian agencies.
Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741.
- -----------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer security
incident response team for the U.S. Department of Energy. CIAC is located
at the Lawrence Livermore National Laboratory in Livermore, California.
CIAC is also a founding member of FIRST, the Forum of Incident Response
and Security Teams, a global organization established to foster cooperation
and coordination among computer security teams worldwide.
CIAC services are available to DOE and DOE contractors, and can be
contacted at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE and DOE contractor sites may
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (9600 baud)
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe
(add yourself) to one of our mailing lists, send the following request as
the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE
or SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.
- -------------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
- --------------------------------------------------------------------
End of CIAC Notes Number 95-11 95_08_10
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMCozILnzJzdsy3QZAQFsNAQAuT5T16ko1eELAbUn57fz0oEIFP1p/BBZ
Hzumgj44SfGoZcaxnwJi6ack55PQBpt0JmxiaSvnzsgpStyplP1EIcNVmOVkCVpI
GkvtV/1OQlw2V9AFJGqNlaH3u1rCEZq65uF780S4pt+qsPgwcz+bpfSqb7l8Fsfi
GpuqA0gX/w4=
=SJA9
-----END PGP SIGNATURE-----
Credits
-- UnKnown --
|