The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #041 [Re: Steps in the virus, as best we know them (and fixes)] (1 message, 950 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/041.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Theodore Ts'o <tytso@ATHENA.MIT.EDU>
To: phage
Date: Fri 15:36:13 04/11/1988 EST
Subject: Re: Steps in the virus, as best we know them (and fixes)
References: [Thread Prev: 035] [Thread Next: 211] [Message Prev: 036] [Message Next: 039]

Some programmers from SIPB, Project Athena, LCS, and the MIT Network
group got together and made a concerted effort to disassemble the code
all last night.  We succeeded this morning in diassembling all of the
virus.  There are a few "fixes" and descriptions that have been floating
around this list, which appear to be not fully correct, judging from our
results.

	1)  Setting pleasequit=-1 does not necessarily stop the virus.
Even with pleasequit=-1, at least one iteration of the virus propagation
code will run.  In addition, another variable must also be greater than
10 before the virus exits.

	2)  The ONLY attacks it does is the sendmail, finger, .rhosts
(rsh and rexec), and password guessing.  The password attacks involved
checking if password==username, and a few other standard tests.

	3)  One of the things it does before it attacks a host is
it connects to the telnet port and immediately closes it.  Thus,
"telnetd: ttloop: peer died" in /usr/adm/messages is a sign that the
virus *attempted* an attack a second or two later.

	4)  The .o files are _not_ profiled.  "mcount" is a red herring.
What that region of data actually is is some of the strings that it
wants to be kept secret XOR'ed with 0x81.

						- Ted Ts'o
						MIT Project Athena

END OF DOCUMENT