- Email: [email protected]
Investigating a reported virus attack
H.J. High~and~Random Bits & Bytes
ticularly if one wishes to obtain clean screen reproductions. Contrary to general belief, this operation does not require having a person sit for hours and/or days peering at the interceptor's monitor. Once the unit has been "sighted" on its target, it can be left unattended. A time-lapse VCR to shoot the screens can do the job. All the snooper has to do is come to the equipment van periodically and replace the video tape. We have advanced technologically so that we can "transfer" the video tape data to a computer disk. All that remains is the use o f a good search program for keywords or critical numbers to scan the data. When a company spends hundreds of thousands o f dollars to analyze possible oil deposits before it bids millions for a lease from the government, how much is it worth to obtain that data? If one could obtain advanced information about a company acquisition attempt or a pending stock merger and has large sums to invest, would a quarter of a million investment in eavesdropping be costly?
What Happens Next? When the van Eck paper first appeared, I received numerous phone calls and letters from technical personnel for assistance in their building of the equipment. I did not provide the missing data. However, some o f those who called and/or wrote communicated with me at a later date to explain how they overcame the missing details. Because more and more individuals were able to fill in the missing data, I noted at Elsevier's COMPSEC 87 workshop that it was now only a matter o f a few
364
years before one of the popular hobby publications in the States prints the schematic diagrams, a parts list and step-by-step instructions. During a conversation with the director of computer security o f a multinational petroleum company recently, I told him about the William's manual. As we were saying goodbye, he asked me ifI thought that Radio Shack (Tandy) would be selling kits or completed electromagnetic eavesdropping units by Christmas. I do not know whether it will be a kit or a finished unit. If they do not market the product, someone else'will undoubtedly do so.
Tips on Terrorism Terrorism is now an established threat and no longer an infrequent incident. To supplement Wayne Madsen's article, "The World Meganetwork and Terrorism," in this issue, we have included some supplementary material available to interested readers. "Tips on Terrorism" is a I0 page pamphlet covering security suggestions for Canadian business people travelling or working abroad. Published almost a decade ago it contains a concise statement of the threat, tips on office security as well as suggestions for security en route and living abroad. O f interest are the suggestions offered in the section on "if an incident occurs." The pamphlet was prepared by the Canadian Department for External Affairs.
"Security Guidelinesfor American Families Living Abroad", issued in April 1988, was prepared by the Overseas Security Advisory Council of the U.S. Department of State. This 62 page booklet is com-
prehensive covering such special topics as domestic hires, family and company cars, telephones, mail, bank accounts and even trash removal. In addition to a good bibliography it contains a comprehensive 13 page checklist. It is available from the OSAC of the U.S. Department of State. "World Status Map" provides up-to-date pre-travel briefings on every country and major island in the world. Dangers and medical risks are described for each country. Also provided are the latest U.S. Department o f State current advisory notices. Additional information is available by modem. Full information about the service can be obtained from WSM Publishing Company. For those interested in a detailed review of terrorism against Americans in 1987, there is a volume edited by Andrew Corsum of the Threat Analysis Division entitled,
"Significant Incidents of Political Violence Against Americans: 1987" from the Bureau of Diplomatic Security of the U.S. Department of State.
Investigating a Reported Virus Attack Tracking down suspected virus attacks is time consuming and most reporters have neither the background nor the time to do so. Earlier this spring we learned about a virus that reportedly struck a precious metals broker in New York. The characteristics o f the suspected virus were somewhat similar to those reported to us by one of our editorial staffmembers in the midwest. The suspected virus altered the disk assignment to which an up--
Computers and Security, Vol. 7, No. 4
dated file was written. This resulted in data fde proliferation and degrading data integrity, severely affecting the company's operations. Since several o f the New York company's LANs shared programs and floppy disks, it was assumed that the damage had been caused by a virus. Despite exhaustive tests, it was not possible to locate the virus in any o f the normal hiding places. A comparison of executable programs with their original disks showed that none o f the programs had been altered. It was not feasible to examine the data files. It was finally decided to clear the LANs and restart operations by reloading all files and programs. When the system was attacked again the next day, it was believed that infected back-ups had been used to reload the system. Once more the systems were cleared but this time reloaded with original executable programs. One LAN was selected for immediate testing. 3 hours later the LAN was infected. Since off-site data files created months ago had been used for the test, the chance o f infected tapes and/or floppy disks was minimal. At that point it was decided to examine the network's communication package and the program-generated and usercreated configuration and utility files. This has not been done previously because it was too time consuming. It was only then that an incorrect operating system call in a program-generated utility and a "mis-statement" in a user-created configuration file were found. The operating system call was for a procedure that had been eliminated from the recently installed systems program. The communications
package was designed to work with an earlier version o f the operating system. Someone had failed to use the communication package's upgrade patch before installing the new version o f the operating system. Furthermore, the error in the configuration file was handled improperly by the communications program. The "virus" was activated when the missing operating system call was invoked, causing the modification of the disk assignment during file updating. In this case there was not virus, only human error.
Virus Filter Update After a review o f the anti-virus products listed by CompuLit's Microcomputer Security Products Evaluation Laboratory in our last issue, we decided to eliminate those programs that were designed to detect Trojan horses and others that were written prior to the virus age. The modified list as of August 1, 1988 is included. There are now 20 protective products awaiting extensive testing. Note: None of these products have been fully tested; they are listed for information purposes only.
Data Physician Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, MN 55432, U.S.A. Disk Defender Director Technologies, Inc. 906 University Place Evanston, IL 60201, U.S.A. Disk Watcher RG Software Systems 2300 Computer Avenue Suite I51 Willow Grove, PA 19090, U.S.A. Dr. Panda Utilities Panda Systems 801 Wilson Road Wilmington, DE 19803, U.S.A.
Flu Shot Ross Greenburg 594 Third Avenue New York, NY 10016, U.S.A. Immunize Remote Technology 3612 Cleveland Avenue St. Louis, M O 63110, U.S.A.
Novirus Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, M N 55432, U.S.A.
Antidote Quaid Software Ltd. 45 Charles Street East Toronto, Ontario M4Y 1$2, Canada
Ntivirus Orion Microsystems P.O. Box 128 Pierrefords, Canada H9H 4K8
Antigen Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, M N 55432, U.S.A.
Vaccine Paul Mace Software 400 Williamson Way Ashland, OR 97520, U.S.A.
C-4 lnterpath Corporation 4432 Theeney Street Santa Clara, CA 95054, U.S.A.
Vaccine Sophos Limited 20 Hawthorne Way Kidlington Oxford OX5 1EZ, U.K.
345
ticularly if one wishes to obtain clean screen reproductions. Contrary to general belief, this operation does not require having a person sit for hours and/or days peering at the interceptor's monitor. Once the unit has been "sighted" on its target, it can be left unattended. A time-lapse VCR to shoot the screens can do the job. All the snooper has to do is come to the equipment van periodically and replace the video tape. We have advanced technologically so that we can "transfer" the video tape data to a computer disk. All that remains is the use o f a good search program for keywords or critical numbers to scan the data. When a company spends hundreds of thousands o f dollars to analyze possible oil deposits before it bids millions for a lease from the government, how much is it worth to obtain that data? If one could obtain advanced information about a company acquisition attempt or a pending stock merger and has large sums to invest, would a quarter of a million investment in eavesdropping be costly?
What Happens Next? When the van Eck paper first appeared, I received numerous phone calls and letters from technical personnel for assistance in their building of the equipment. I did not provide the missing data. However, some o f those who called and/or wrote communicated with me at a later date to explain how they overcame the missing details. Because more and more individuals were able to fill in the missing data, I noted at Elsevier's COMPSEC 87 workshop that it was now only a matter o f a few
364
years before one of the popular hobby publications in the States prints the schematic diagrams, a parts list and step-by-step instructions. During a conversation with the director of computer security o f a multinational petroleum company recently, I told him about the William's manual. As we were saying goodbye, he asked me ifI thought that Radio Shack (Tandy) would be selling kits or completed electromagnetic eavesdropping units by Christmas. I do not know whether it will be a kit or a finished unit. If they do not market the product, someone else'will undoubtedly do so.
Tips on Terrorism Terrorism is now an established threat and no longer an infrequent incident. To supplement Wayne Madsen's article, "The World Meganetwork and Terrorism," in this issue, we have included some supplementary material available to interested readers. "Tips on Terrorism" is a I0 page pamphlet covering security suggestions for Canadian business people travelling or working abroad. Published almost a decade ago it contains a concise statement of the threat, tips on office security as well as suggestions for security en route and living abroad. O f interest are the suggestions offered in the section on "if an incident occurs." The pamphlet was prepared by the Canadian Department for External Affairs.
"Security Guidelinesfor American Families Living Abroad", issued in April 1988, was prepared by the Overseas Security Advisory Council of the U.S. Department of State. This 62 page booklet is com-
prehensive covering such special topics as domestic hires, family and company cars, telephones, mail, bank accounts and even trash removal. In addition to a good bibliography it contains a comprehensive 13 page checklist. It is available from the OSAC of the U.S. Department of State. "World Status Map" provides up-to-date pre-travel briefings on every country and major island in the world. Dangers and medical risks are described for each country. Also provided are the latest U.S. Department o f State current advisory notices. Additional information is available by modem. Full information about the service can be obtained from WSM Publishing Company. For those interested in a detailed review of terrorism against Americans in 1987, there is a volume edited by Andrew Corsum of the Threat Analysis Division entitled,
"Significant Incidents of Political Violence Against Americans: 1987" from the Bureau of Diplomatic Security of the U.S. Department of State.
Investigating a Reported Virus Attack Tracking down suspected virus attacks is time consuming and most reporters have neither the background nor the time to do so. Earlier this spring we learned about a virus that reportedly struck a precious metals broker in New York. The characteristics o f the suspected virus were somewhat similar to those reported to us by one of our editorial staffmembers in the midwest. The suspected virus altered the disk assignment to which an up--
Computers and Security, Vol. 7, No. 4
dated file was written. This resulted in data fde proliferation and degrading data integrity, severely affecting the company's operations. Since several o f the New York company's LANs shared programs and floppy disks, it was assumed that the damage had been caused by a virus. Despite exhaustive tests, it was not possible to locate the virus in any o f the normal hiding places. A comparison of executable programs with their original disks showed that none o f the programs had been altered. It was not feasible to examine the data files. It was finally decided to clear the LANs and restart operations by reloading all files and programs. When the system was attacked again the next day, it was believed that infected back-ups had been used to reload the system. Once more the systems were cleared but this time reloaded with original executable programs. One LAN was selected for immediate testing. 3 hours later the LAN was infected. Since off-site data files created months ago had been used for the test, the chance o f infected tapes and/or floppy disks was minimal. At that point it was decided to examine the network's communication package and the program-generated and usercreated configuration and utility files. This has not been done previously because it was too time consuming. It was only then that an incorrect operating system call in a program-generated utility and a "mis-statement" in a user-created configuration file were found. The operating system call was for a procedure that had been eliminated from the recently installed systems program. The communications
package was designed to work with an earlier version o f the operating system. Someone had failed to use the communication package's upgrade patch before installing the new version o f the operating system. Furthermore, the error in the configuration file was handled improperly by the communications program. The "virus" was activated when the missing operating system call was invoked, causing the modification of the disk assignment during file updating. In this case there was not virus, only human error.
Virus Filter Update After a review o f the anti-virus products listed by CompuLit's Microcomputer Security Products Evaluation Laboratory in our last issue, we decided to eliminate those programs that were designed to detect Trojan horses and others that were written prior to the virus age. The modified list as of August 1, 1988 is included. There are now 20 protective products awaiting extensive testing. Note: None of these products have been fully tested; they are listed for information purposes only.
Data Physician Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, MN 55432, U.S.A. Disk Defender Director Technologies, Inc. 906 University Place Evanston, IL 60201, U.S.A. Disk Watcher RG Software Systems 2300 Computer Avenue Suite I51 Willow Grove, PA 19090, U.S.A. Dr. Panda Utilities Panda Systems 801 Wilson Road Wilmington, DE 19803, U.S.A.
Flu Shot Ross Greenburg 594 Third Avenue New York, NY 10016, U.S.A. Immunize Remote Technology 3612 Cleveland Avenue St. Louis, M O 63110, U.S.A.
Novirus Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, M N 55432, U.S.A.
Antidote Quaid Software Ltd. 45 Charles Street East Toronto, Ontario M4Y 1$2, Canada
Ntivirus Orion Microsystems P.O. Box 128 Pierrefords, Canada H9H 4K8
Antigen Digital Dispatch, Inc. 1580 Rice Creek Road Minneapolis, M N 55432, U.S.A.
Vaccine Paul Mace Software 400 Williamson Way Ashland, OR 97520, U.S.A.
C-4 lnterpath Corporation 4432 Theeney Street Santa Clara, CA 95054, U.S.A.
Vaccine Sophos Limited 20 Hawthorne Way Kidlington Oxford OX5 1EZ, U.K.
345