Computer Knowledge Newsletter – May 1998 Issue

In This Issue:

Virus News

Autostart 9805 Macintosh Worm. After a lull, a new Macintosh threat has developed. Technically a worm, Autostart 9805 adds invisible files to every disk partition, periodically causes extensive disk activity (and network activity if network disks are mounted), and will overwrite some data files with random data. The initial infection usually requires QuickTime 2.0 or above installed. PowerPC systems running the MacOS or later and with mounted HFS or HFS+ volumes are affected.

Infected disks contain an invisible application file named “DB” (type “APPL”, creator “????”, with the “invisible” attribute set) in the root directory, with autostart set. When the infected disk is mounted on a PowerPC MacOS system running QuickTime 2.0 or later, the “DB” application is launched automatically if the AutoStart feature is enabled in QuickTime. It then copies itself to the Extensions folder of the active System. It changes the name of the copy to “Desktop Print Spooler” and the type to “appe.” It then restarts the computer system.

The worm does damage if not caught. After checking the mounted volumes for infection, the worm begins searching for certain files on each disk. Files ending with “data”, “cod”, and “csa” (case insensitive) are targeted if the data fork is larger than 100 bytes. Files ending with “dat” are targeted if they are larger than about 2 Mbytes (resource + data forks). When a targeted file is found, it is damaged by overwriting the data fork (up to approximately the first 1 Mbyte) with garbage. The first byte is always set to zero, and this serves as a flag to bypass the file on subsequent passes.

The worm has numerous symptoms that make it reasonably easy to identify:

  • The system unexpectedly restarts after mounting a diskette or other volume. This will only happen when the initial infection occurs.
  • The “DB” application name flashes briefly in the menu bar when a disk is mounted.
  • The presence of an invisible application file named “DB” on the root of disk volumes, or the invisible “Desktop Print Spooler” file in the extensions folder. Any file or disk utility program (such as ResEdit) that shows invisible files in its file selection dialogs can be used to check for the files. Be sure not to confuse the legitimate “Desktop Printer Spooler” file with the worm.
  • A process named “Desktop Print Spooler” is found.
  • Extensive, unexplained disk activity every 30 minutes.

Anti-virus vendors should all have updated their products by the time you receive this. Be certain to get an update if you have not already. [A second variant of this beast has been found as this goes to press.]

NAV and IBM Team. Reports are that IBM and Symantec will be teaming to deliver a single family of anti-virus products. The products will be marketed under the Norton name. The basic purpose will be to include the IBM “immune system” technology into the NAV product line.

In a related development, it also seems that Intel plans to also license the IBM technology for its LANDesk Virus Protect product line.

General Security

Security by Radio. PC Week reports that a new form of hardware security will be available around June. XyLoc will produce a device that connects to the keyboard port on a PC. The device monitors special radio signals sent from a keyring radio transmitter. When a user with the proper transmitter approaches within a defined distance from the PC, the keyboard will be unlocked for that user. Others who try to use the PC are locked out when the rightful user is absent. Access to the PC is also tracked so network managers can determine if the system has somehow been penetrated (the technology is based on that developed for remote control of car door locks).

Note that this technology joins a long line of products that will be designed to control access to computers. Most of the others, however, use biometric measures of some sort (e.g., fingerprint, retinal pattern, face pattern). Some privacy gurus are complaining about the biometric measures as being intrusive and, more importantly, capable of building databases about such personal characteristics. The XyLoc device only requires that the legal user of a computer maintain possession of the keyring device. (Of course, that also has a downside as it would be easy for a “bad” employee to just give the device to someone else at the risk of being identified as doing the evil instead of the “someone else.”)

Below are some links to various biometric resources:

National Biometric Test Center at http://www.biometrics.orgWeb Link
Connecticut Social Services collection at Link

On-line Hate Crime Punished. In early May University of California at Irvine student Richard Machado was found guilty by a jury of on-line hate crime: sending E-mail to a group of students threatening to “…make it my life career to find and kill every one of you personally.” The sentence was one year in prison (effectively time served since Machado had been in prison since February 1997). Machado maintained that violence was part of the culture of the net; the prosecution maintained this did not exempt the net from federal laws. Machado sent the threat from campus computers.

E-mail lends itself to both informal and spur-of-the-moment responses. The Machado case shows that you should perhaps think about hitting the delete key before the send key for mail you would not want broadcast to the world.

Web Site Archives. In the past, I’ve made note of the need for backups. These are very important, but there is something maybe even more important if you run a web site that offers products; having an archive of everything ever offered on that site, including not only content but dates that content went active on the site.

Site content is ever changing. Upgrades are made to products, licenses, warranties. Bugs are found and described. It’s important to know when these things happened.

Consider a customer who buys your product at time T. Now, at time T+Interval the product fails. The customer goes to your web site and sees a notice about the problem relative to their particular configuration. But, was that notice there when the customer bought the product? You’d better know or you’ll have to take the customer’s word that it was not.

OK, you’ve got all your information in databases and applications to drive real-time page generation for your customers. The situation above arises and you try to recreate the page using the database and application in use at time T. You have it, but ooops, it doesn’t work because your operating system have been upgraded and the application no longer works. Who will the legal system believe: the customer (“I printed everything I saw”) or you (“I know I can recreate the pages served if I can find and install the old operating system, but in the meantime just look at these database records”)?

Electronic commerce is coming, and coming fast. It’s going to be very important for you to keep up with the record keeping necessary to protect yourself.

Problem Backdoors. If you use network equipment be certain to check with the manufacturer about backdoors. Some equipment makers may have installed backdoors for testing purposes. These can cause security problems is not plugged. One such was reported for 3Com CoreBuilder 2500 and 3500 switches.

The units have a “debug” account which is even stronger than an “admin” account. The debug user has access to all administrative functions plus debugging commands not even available to the admin user. Indeed, the debug user can even lock the admin user out.

Not all devices have such backdoors; but, it’s important that you find out if your hardware does and then take steps to secure that door by changing the default password for the backdoor account at a minimum.

Information of Interest

Lawyers and Y2K. The lawyers are champing at the bit when it comes to Y2K issues. Many suits are already in the courts, including, I understand, one against Intuit because they are currently making Y2K changes and this proves they were not compliant in the past, thus putting customers at risk. Another Australian company has been successfully sued in the UK and are, in turn, now trying to bring their programmers to court since they were all “contractors” when working for the company.

And, to top it off, lawyers have been discussing suing the very programmers who are fixing the problem because in many cases it won’t be finished on time and they have a duty to point this out and have not.

[Was going to comment further but decided it would be better not to. 🙂 ]

Interesting links:

Personal bookshelf – (Here you can sign up for free access to various computer books over the web. You are given access to the web versions for a set period of time. This is rather like book shareware: you get to try the book in the hope you will buy the one(s) you find useful.) [Update: Service no longer available.]

In closing: Stay alert and watch out for people in suits with briefcases.