Friday, June 25, 2010

lessons from the past

one of the criticisms i sometimes have of people in the security field is that they seem to fail to learn from the past. this isn't necessarily a fair criticism since often the people i'm directing that criticism towards aren't familiar with the past events i'm thinking of. as such this post is meant to serve a dual purpose - a) to help the people of today become familiar with the lessons of yesterday, and b) to help preserve something that i'd rather not see become a victim of the false sense of posterity that usenet archives like google's affords us. this was actually not my first choice for usenet posts to republish here, but my first choice seems to be well and truly gone.

the events described here took place some 21 years ago, back when the mores and traditions of the anti-virus community/industry weren't quite as strict as they ultimately became. in fact, i'd hazard a guess that the events described here and the lessons learned from them are at least part of the reason those mores and traditions became so strict. read on to find out what can happen when you handle malware either carelessly or even carefully but not quite carefully enough. from frisk's post in comp.virus/virus-l
From: (Fridrik Skulason)
Newsgroups: comp.virus
Subject: Two serious cases (PC)
Message-ID: <>
Date: 27 Dec 89 12:47:52 GMT
Sender: Virus Discussion List 
Lines: 65

Most virus researchers exchange/distribute viruses only on a strict
need-to-know basis, in order to limit the spread of viruses. However, this
does not work as well as intended. There are now two known cases where
untrustworthy people seem to have obtained viruses from researchers.

Case #1: Icelandic-1/Saratoga

     I discovered the Icelandic-1 virus here in Iceland in June this year.
     When I had disassembled it, I sent a disassembly of an infected file
     to several experts in the USA, UK and Israel, including the HomeBase
     folks (McAfee). Before I sent out the disassembly, I made one small
     change to it. This change had no effect on the operation of the virus,
     but it would make it possible to determine if a copy of this virus found
     outside of Iceland was based on my disassembly or not.

     Looking back, I can see that this was not a very good idea, simply
     because there was a possibility that somebody might select an invalid
     identification string, based on this disassembly. So, those of you having
     a copy of my disassembly, please contact me if you want to correct it.
     This change was also (by accident) included in the Icelandic-2
     disassembly, since I used the Icelandic-1 disassembly as a basis for

     Now - back to the Icelandic-1 virus.

     Three days after the virus was made available on the HomeBase bulletin
     board, in a restricted area that only a few people had access to, a new
     virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some
     people thought for a while that Saratoga was an older variant of
     Icelandic-1, because it was at first said to have been found "a few
     months earlier", but this turned out to be a misunderstanding.

     Saratoga was just a minor variant of Icelandic-1, but the change I made
     was present in the virus, so it was obviously based on my disassembly.
     When Saratoga was found, I had only sent Icelandic-1 to three or four
     persons in the US - and, as far a I know, it had only been made available
     to other persons in one place (HomeBase).  They believe that the person
     responsible for the creating "Saratoga" has now been found, and his
     access to the restricted area has been terminated.

Case #2: Dbase

     The dBase virus was discovered by Ross Greenberg. It seems to have been
     planted at only a single site, because no other reports appeared for
     several months. Recently Ross made the virus available to a number of
     virus researchers. Within two weeks the first infection reports had
     started to arrive - the virus had escaped.

     We know that at least some of the reported infections were based on the
     copy from Ross, because he made one small change to the virus, before it
     was distributed. One instruction was overwritten by two "harmless"
     instructions, in order to disable the most harmful effect of the virus -
     the disk trashing part. This change is also present in some of the
     infected files that have been found recently. (In other cases the
     original instruction is present)

As I said before, I do not consider it a very good idea to make changes to
viruses, but it paid off in the two cases described above. Who knows how
many other cases of virus infections are (indirectly) the result of virus
collection/distribution by virus experts.

At least it is certain that we have to be a lot more careful in the future.

- -frisk