Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!wuarchive!udel!princeton!phoenix!phoenix.princeton.edu!ron From: ron@clarity.Princeton.EDU (Ronald Beekelaar) Newsgroups: comp.lang.postscript Subject: Re: Postscript Viruses Message-ID: Date: 23 Jan 90 01:25:06 GMT References: <21772@uflorida.cis.ufl.EDU> <1990Jan14.180821.18711@trigraph.uucp> <1990Jan16.154513.10892@intercon.com> <17677@rpp386.cactus.org> <51011@bbn.COM> <137@macuni.mqcc.mq.oz> <139@macuni.mqcc.mq.oz> Sender: news@phoenix.Princeton.EDU Organization: Cognitive Science Lab. Princeton University. Lines: 73 In-reply-to: ifarqhar@mqccsunc.mqcc.mq.OZ's message of 21 Jan 90 11:30:24 GMT The discussion about viruses reminds me of 'an accident' that happened three years ago. I was at studying at a university in The Netherlands, when I got interested in PostScript. Back in those days, at least in the Netherlands, any knowledge about PostScript was rare, and I even had to get the red and the blue PS book, from England. The university had just recently bought a awful lot of new LaserWriters to replace existing older printers, so I knew it was worth it, to learn PostScript. One of the things I wrote was a new printerdriver for MS-Word, with the ability of printing gray, outlined etc. About 5 people used this new printerdriver and everything worked fine. During a long PS hack at night, together with a friend, we decided to have some fun and change the printerdriver a little bit. The printerdriver contained code that defined the IBM linedraw character set in a somewhat crypted way. This was done to save transmission time to the printer when the driver was loaded. Since this was already encrypted and hence very hard to read and figure out what was going on, we decided to add some extra functionality to this encrypted part. Once the newly created 'trojan-driver' was loaded it would work perfectly fine, except that every 598th page would be printed like it had been mirrored (scale -1 1). When we tested it with a mirror-rate of every 3rd page, it worked really nice and you can understand our excitement (sorry). The 5 people that had been using the printerdriver all used the same PC, that was connected to the same LaserWriter. We decided to fool them and replace the printerdriver on the hard-disk of the PC, with the 'trojan-driver'. Nothing really happened after that, at least I didn't hear any of them complain about mirrored pages. Christmas break came one week later and I went home for a couple of weeks... When I came back, the CS department of the university had connected all the new LaserWriters to PC's in all the offices. Suddenly everybody was able to use those new printers and they did. The 'trojan-driver' had been copied off the PC in the printer-room and virtually everybody was using it. Without complaints!! Meanwhile the printerdriver worked great, well actually, it worked too well, because every 598th page was still mirrored. Nobody complained about this, because you would expect the new printers to make some mistakes every now and then and once you printed the 'trojan' page again, it would come out fine. Almost nobody had gotten two mirrored pages in say 4 months. And just me believe me, I hadn't even thought about that late-night hack anymore. The driver worked fine for me too. After four months, troubles began. At several occasion, people had printed the final version of a report, looked over it, it looked fine and they had printed this one more final-final version, put it in a plastic cover and off to the reproduction service to make it into xx copies, nicely bound. The first time a ran into lecture-notes, which had a mirror page, I knew what had happened and immediately told the CS department. They said they had received various complaints about the mirror business from all over the university, but didn't know what it was. (Most people didn't even realize that a printer could be told to do this, so it must be a mistake of the hardware, they said...) Very soon after this the 'trojan' driver was replaced by a new driver, with more features, but excluding the mirror code. Everybody had a copy of the 'trojan' version though, and still every now and then mirrored pages show up. ----- Of course this is in no way a virus, as defined in a previous article, but it got me scared. ron -- ------ ron ------