Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!iuvax!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: VALDIS@vtvm1.cc.vt.edu (Valdis Kletnieks) Newsgroups: comp.virus Subject: Re: CMS viruses (IBM CMS) Message-ID: <0002.8907211134.AA06039@ge.sei.cmu.edu> Date: 20 Jul 89 15:06:24 GMT Sender: Virus Discussion List Lines: 65 Approved: krvw@sei.cmu.edu >2. neither MVS nor VM could be infected by 16 bytes of code in an none >obtrusive manner... an overwriting virus possibly...!! however these >are both large expensive mainframe SCP(system control programs) note I >didnt include cms in this he is a user interface!! but they most >defintely can be infected!!!!!! First of all, I beleive it was 16 *lines* not 16 *bytes*. Even in assembler, 16 lines will give you 64 bytes of code (assuming average 4/bytes instruction), and more if you allow macro use. I'm unclear what you're saying - are you saying that VM and MVS are systems that "can't be infected non-obtrusively" or that they "can be infected"? I have seen 5-line programs that broke VM. Once you do that, all the rest is just pretty-printing. And the 5-line program was SO unobtrusive that the author literally didn't KNOW for a while that he had done it. It turned out to be a bug in HIS program accidentally exploiting a bug in the SYSTEM. IBM very recently (as an SPE apar to SP/4) fixed a BIG hole in the reader file support, where a sequence of 5 user commands would break a userid. The bottom line is that (a) you can break it (b) if you're good, nobody will notice and (c) sometimes you don't even have to be very good... >3. given the richness of the 2 above environments and both of them >predate any other System control programs currently used now... no >human intervention is necessary for an infection mechanism to >accomplish its designed task!!!! Well, MVS/ESA can trace itself back to 1963 and the OS/360 project. However, CP/67 (the ancestor of VM/SP and VM/XA) dates to almost literally the same month in 1967 as the first attempts to bring Unix up. And both Unix and VM are newer than the venerable Multics (which is still used at a fairly large number of sites). And admittedly MVS and VM *can* both be broken. Otherwise IBM would not have needed to issue 'Statements of Integrity' for them. However, if anything, you got the point here backwards. It is mostly the *newer*, *less mature* systems that are easily attacked and penetrated without human intervention. Remember that MVS has literally 25 years of people breaking into it, while the Macintosh OS has a lot less experience in defending itself. Yes, the older operating systems ARE generally more full-featured. But the features are generally a LOT more robust. >4. to acheive point 3 above... one must be what is knwown in IBM >Parlance as a SYSPROG not just a technical support specialist... in >other words it most likely is not going to be the local 14 year old >sunnyvale hacker!!!(that would implement this code) Ah yes - to break into VM without human intervention DOES require a fair amount of true wizardry. However, you can trust that enough users will run anything that shows up that a trojan horse like the Christmas Card exec is effectively a virus. Yes, technically the Christmas Exec was a trojan horse. However, that didn't stop it from taking out the BitNet academic network and the VNET IBM internal net just as effectively as the Morris worm did to the Internet. Valdis Kletnieks Computer Systems Engineer Virginia Tech