the events described here took place some 21 years ago, back when the mores and traditions of the anti-virus community/industry weren't quite as strict as they ultimately became. in fact, i'd hazard a guess that the events described here and the lessons learned from them are at least part of the reason those mores and traditions became so strict. read on to find out what can happen when you handle malware either carelessly or even carefully but not quite carefully enough. from frisk's post in comp.virus/virus-l
From: fr...@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Two serious cases (PC) Message-ID: <0007.9001031142.AA02943@ge.sei.cmu.edu> Date: 27 Dec 89 12:47:52 GMT Sender: Virus Discussion ListLines: 65 Approved: k...@sei.cmu.edu Most virus researchers exchange/distribute viruses only on a strict need-to-know basis, in order to limit the spread of viruses. However, this does not work as well as intended. There are now two known cases where untrustworthy people seem to have obtained viruses from researchers. Case #1: Icelandic-1/Saratoga I discovered the Icelandic-1 virus here in Iceland in June this year. When I had disassembled it, I sent a disassembly of an infected file to several experts in the USA, UK and Israel, including the HomeBase folks (McAfee). Before I sent out the disassembly, I made one small change to it. This change had no effect on the operation of the virus, but it would make it possible to determine if a copy of this virus found outside of Iceland was based on my disassembly or not. Looking back, I can see that this was not a very good idea, simply because there was a possibility that somebody might select an invalid identification string, based on this disassembly. So, those of you having a copy of my disassembly, please contact me if you want to correct it. This change was also (by accident) included in the Icelandic-2 disassembly, since I used the Icelandic-1 disassembly as a basis for that. Now - back to the Icelandic-1 virus. Three days after the virus was made available on the HomeBase bulletin board, in a restricted area that only a few people had access to, a new virus was discovered in Saratoga and uploaded to the HomeBase BBS. Some people thought for a while that Saratoga was an older variant of Icelandic-1, because it was at first said to have been found "a few months earlier", but this turned out to be a misunderstanding. Saratoga was just a minor variant of Icelandic-1, but the change I made was present in the virus, so it was obviously based on my disassembly. When Saratoga was found, I had only sent Icelandic-1 to three or four persons in the US - and, as far a I know, it had only been made available to other persons in one place (HomeBase). They believe that the person responsible for the creating "Saratoga" has now been found, and his access to the restricted area has been terminated. Case #2: Dbase The dBase virus was discovered by Ross Greenberg. It seems to have been planted at only a single site, because no other reports appeared for several months. Recently Ross made the virus available to a number of virus researchers. Within two weeks the first infection reports had started to arrive - the virus had escaped. We know that at least some of the reported infections were based on the copy from Ross, because he made one small change to the virus, before it was distributed. One instruction was overwritten by two "harmless" instructions, in order to disable the most harmful effect of the virus - the disk trashing part. This change is also present in some of the infected files that have been found recently. (In other cases the original instruction is present) As I said before, I do not consider it a very good idea to make changes to viruses, but it paid off in the two cases described above. Who knows how many other cases of virus infections are (indirectly) the result of virus collection/distribution by virus experts. At least it is certain that we have to be a lot more careful in the future. - -frisk
0 comments:
Post a Comment