Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!zaphod.mps.ohio-state.edu!samsung!munnari.oz.au!cluster!metro!natmlab.dap.csiro.au!ditsyda!macuni!mqccsunc!ifarqhar From: ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) Newsgroups: comp.lang.postscript Subject: Postscript Viruses Summary: The discussion belongs here, Woody Message-ID: <139@macuni.mqcc.mq.oz> Date: 21 Jan 90 11:30:24 GMT References: <21772@uflorida.cis.ufl.EDU> <1990Jan14.180821.18711@trigraph.uucp> <1990Jan16.154513.10892@intercon.com> <17677@rpp386.cactus.org> <51011@bbn.COM> <137@macuni.mqcc.mq.oz> Sender: news@macuni.mqcc.mq.oz Reply-To: ifarqhar@mqccsunc.mq.oz (Ian Farquhar) Organization: Macquarie University, Sydney Lines: 121 A couple of days ago, Woody posted a message to comp.viruses about the worrying possibilities of postscript viruses. His points were that these would be easy to write, and to incorporate into eexec blocks for downloading to printers. Once there, they could trash a file system, and do all sorts of damage. Well, folks. I cannot speak for anyone else, but if you want an intelligent discussion it is far better to keep it OUT of comp.viruses - it is a newsgroup whose paranoia and noise level exceeds even the *.politics newsgroups. This discussion definately belongs here. Over a couple of days, I have been investigating the possibility of a postscript virus. For the record, I would define a virus as something that has the following characteristics: 1. It is a program that is able to stay hidden from the user, and also be activated without user intevention. The program should not use enough resources for the user to notice, and should be transparent until phase 3. 2. It should be capable of replicating itself so that it can spread from application to application, and/or machine to machine. 3. It should do SOMETHING. This action may simple announce the viruses existence, or extend to physical damage of the hardware. Examples of viruses on the PC are the Jerusalem strains, and one the Amiga the SCA viruses. I have nothing to do with Macs, so cannot provide any examples there (sorry). I would define a trojan horse as a program that masquerades as a useful program and which - when run - does damage. The PC has had an excellent example of a trojan with the AIDS Disks. If implimenting a virus, it is important that at least the first two stages (infection and distribution) are performed. Stage three is optional, though the mentality of most of the documented virus writers would not tolerate such anonymity. A postscript virus would be very difficult if not impossible to write. Let me detail the reasons why. 1. Postscript has no standardised mechanism for transfering data back to its host, and in the rare occasions that a data transfer does happen it is usually answers to queries by the host. For a virus (say written into a font - as Woody's original posting suggested) to actually spread to another printer it would have to either: (a) Somehow get the modified code back to the host and saved as the new font file, or (b) Be part of an original distribution. In this case it would be a trojan rather than a virus. (c) To exist on the host as a self-modifying program. I can see no use whatsoever for self-modifying Postscript. 2. To really do damage, it would have to access the undocumented contents of the internal dictionary, or access the hardware directly. Both are non-standard, would need a great amount of code and intimate knowledge of internal details to do this trick. Woody mentioned scrambling the file system, which he said is not difficult. This is about all that I can think a virus/trojan could do. 3. This point is going to seem a little ridiculous, but bear with me. Virus writer are usually frustrated, immature men in their late teens or early twenties. They are often quite competent programmers, but are extremely unprofessional and usually incapable of writing code that would be accepted in a commercial environment. It has been speculated that their vandalistic desires are actually attempts at gaining self-estemme that they lack. They are almost always lacking in resources, most with systems barely adequate for the task of writing any application. It is MOST UNLIKELY that they would have access to a Postscript printer, and also most unlikely that they could adapt their programming "styles" to Postscript's device independence. I am losing no sleep over the thought of a Postscript virus (I am losing sleep over this posting!) I can see no way for such a program to spread, and little possibility of it doing damage once it was installed. The only reasonable system that I can invisage is that of a trojan supplied from a major manufacturer with one very disgruntled ex-employee. So, Woody. I don't think that this is likely, but it was an interesting thought. If any other participants in comp.lang.postscript wish to post their thoughts on this matter, I would be most interested to read them. However, let me say one thing. The majority of net users are sensible people who appreciate the dangers of viruses and trojans, but there are two types of readers that may cause trouble. 1. The user who does not recognise their own limitations and who may be tempted to try something stupid ("I wonder exactly what this filesystem scrambling program does when I run it...." - though if anyone is that stupid then perhaps we should let them :-)) 2. The virus writers. They are unlikely, but always bear them in mind. So, be as general as possible, and DON'T POST ANY SOURCES! So fellow Postscribes, if you get a sample font disk from a Panamanian company called PC Cyborg, regard with with great suspicion.... All hail Saint Fubar, parton saint of computer programmers. +-----------------------------------+-------------------------------+ | Ian Farquhar | Phone : (02) 805-7420 (STD) | | Microcomputer Support | (612) 805-7420 (ISD) | | Office of Computing Services | Fax : (02) 805-7433 (STD) | | Macquarie University NSW 2109 | (612) 805-7433 (ISD) | | Australia | Also : 805-7205 | +-----------------------------------+-------------------------------+ | ACSNet ifarqhar@macuni.mqcc.mq.oz | | ifarqhar@mqccsuna.mqcc.mq.oz | +-------------------------------------------------------------------+ D