Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!usc!cs.utexas.edu!wuarchive!texbell!uudell!natinst!rpp386!woody From: woody@rpp386.cactus.org (Woodrow Baker) Newsgroups: comp.lang.postscript Subject: Re: Postscript Viruses Summary: quite valid Message-ID: <17720@rpp386.cactus.org> Date: 22 Jan 90 13:27:05 GMT References: <21772@uflorida.cis.ufl.EDU> <1990Jan14.180821.18711@trigraph.uucp> <139@macuni.mqcc.mq.oz> Organization: River Parishes Programming, Plano, TX Lines: 130 In article <139@macuni.mqcc.mq.oz>, ifarqhar@mqccsunc.mqcc.mq.OZ (Ian Farquhar) writes: > A couple of days ago, Woody posted a message to comp.viruses about the > worrying possibilities of postscript viruses. His points were that > these would be easy to write, and to incorporate into eexec blocks for > downloading to printers. Once there, they could trash a file system, > and do all sorts of damage. > > Well, folks. I cannot speak for anyone else, but if you want an > intelligent discussion it is far better to keep it OUT of comp.viruses - > it is a newsgroup whose paranoia and noise level exceeds even the > *.politics newsgroups. This discussion definately belongs here. I quite agree, but decided that the topic would create another flurry of postings, and more people would gripe about it. I thus posted it to the virus group rather than the ps group. I have given some thought to the topic also, and have come up with some further conclusions. > > Over a couple of days, I have been investigating the possibility of a > postscript virus. For the record, I would define a virus as something > that has the following characteristics: > Very good definition of a virus [text deleted] > 1. It is a program that is able to stay hidden from the user, > 2. It should be capable of replicating itself so that it can > 3. It should do SOMETHING. This action may simple announce > I would define a trojan horse as a program that masquerades as a useful > program and which - when run - does damage. The PC has had an excellent > If implimenting a virus, it is important that at least the first two > stages (infection and distribution) are performed. Stage three is > > A postscript virus would be very difficult if not impossible to write. > Let me detail the reasons why. > > 1. Postscript has no standardised mechanism for transfering data back > to its host, and in the rare occasions that a data transfer does > happen it is usually answers to queries by the host. For a virus > to actually spread to another printer it would have to either: > > (a) Somehow get the modified code back to the host and saved as > the new font file, or > > (b) Be part of an original distribution. In this case it would > be a trojan rather than a virus. > > (c) To exist on the host as a self-modifying program. I can > see no use whatsoever for self-modifying Postscript. Or be turned lose in the form of a public domain font, or be spread by pirating a font. True, it would be difficult to cause it to spread from machine to machine, but it certainly could infect other fonts on the same disk, so at least stage 1 and possible stage 2 could happen. Note (b) above is correct, but I think that the definition of trojan goes a bit further. I don't want to carry this group off into viruses, and trojans. point c is well taken, though I would say that I can see no use for a virus either, but self modificati > > 2. To really do damage, it would have to access the undocumented > contents of the internal dictionary, or access the hardware > of code and intimate knowledge of internal details to do this > trick. Woody mentioned scrambling the file system, which he > said is not difficult. This is about all that I can think a > virus/trojan could do. I think I'll have to disagree here. You have provisions for reading and writing a file. You can open files, and close them. The file names and directory names are documented, ergo, you can trash files without *ANY* arcane knowlege of the printer. > > They are often quite competent > programmers, but are extremely unprofessional and usually They have to be, in order to write a virus > incapable of writing code that would be accepted in a commercial > environment. It has been speculated that their vandalistic > desires are actually attempts at gaining self-estemme that they > lack. They are almost always lacking in resources, most with > systems barely adequate for the task of writing any application. > It is MOST UNLIKELY that they would have access to a Postscript > printer, and also most unlikely that they could adapt their > programming "styles" to Postscript's device independence. Again, I'll disagree. With the proliferation of PS printers in general, both clones, and the Adobe article, almost anyone in a university enviorment, or even in a normal enviornment can access a laser printer that runs PS. True, disk based printers are not common at this time, but that certainly will change over time. There was a time when micros didn't have disk drives, and the same arguement here could be applied to them at the time. > > I am losing no sleep over the thought of a Postscript virus (I am losing > sleep over this posting!) I can see no way for such a program to > spread, and little possibility of it doing damage once it was installed. > The only reasonable system that I can invisage is that of a trojan > supplied from a major manufacturer with one very disgruntled > ex-employee. Or a competing font company, or several other potential sources. The spreading would indeed be difficult, but if font prices stay high, it is likely that piracy will abound soon in the font world, as it does in the computer world. > > So, Woody. I don't think that this is likely, but it was an interesting > their thoughts on this matter, I would be most interested to read them. > > However, let me say one thing. The majority of net users are sensible > people who appreciate the dangers of viruses and trojans, but Fortunatly! > there are two types of readers that may cause trouble. > > 1. The user who does not recognise their own limitations and > who may be tempted to try something stupid ("I wonder > exactly what this filesystem scrambling program does when > I run it...." - though if anyone is that stupid then > perhaps we should let them :-)) > > 2. The virus writers. They are unlikely, but always bear them > in mind. > > So, be as general as possible, and DON'T POST ANY SOURCES! > AMEN! > So fellow Postscribes, if you get a sample font disk from a Panamanian > company called PC Cyborg, regard with with great suspicion.... >