Path: utzoo!attcan!uunet!cs.utexas.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: gary@sci34hub.sci.com (Gary Heston) Newsgroups: comp.virus Subject: Re: File tranfser of software--A way to curb commercial infections? Message-ID: <0003.9006011949.AA14516@ubu.cert.sei.cmu.edu> Date: 31 May 90 16:32:14 GMT Sender: Virus Discussion List Lines: 78 Approved: krvw@sei.cmu.edu ctycal!ingoldsb@uunet.UU.NET (Terry Ingoldsby) writes: > I've always felt that networks are less likely to transmit viruses > than floppy disks because it is more likely that the culprit will be > caught. I grant that games can be played with the signatures, etc., > but chances are that some sort of log files are kept by the system > administrators about what came in, and when. Although difficult, in a > crisis there is at least some hope that the dissemination path used by > the virus can be discovered. Although not foolproof, this should act > as somewhat of a deterrent to virus writers. Due to a company policy (which I disagree with), I am not able to discuss any infections which may or may not have occurred here. Consequently, if I have any real examples, I can't cite them. Networks can propagate a virus thru several avenues, particularly if the netadmin is inexperienced and hasn't quite got file protections for network executables set correctly. If user Fred logs in to a network, works a while, and runs a infected game during lunch without rebooting (whether from a local hard drive or floppy), the virus will try to infect the next program executed via the net. If user Barney, who carefully logs off during lunch, logs back in and runs the infected program, it will try to infect Barneys' local drives as well (it should have already gotten established on Freds'). Now, we have a logfile that shows Fred, Barney, and 30 other users ran this particular piece of software, at various times during the day, and probably more than once. What points to the infection source? If there are any publicly writeable areas where users can put executables, there is an even larger gaping hole an infection can enter thru. (Users like to have these types of areas.) This can be controlled somewhat by the netadmin getting the setup correct; however, this is a somewhat optomistic hope in view of the complexity of network software and the limited training new admins get (I'm trying to learn Novell right now; the company decided nobody needs to go to seminars for anything). It's difficult to track down a security hole when the boss is asking hourly "Why isn't the network up yet?". The possibility of installing infected shrink-wrap software is also a big hazard now; people who thought they were safe by prohibiting public domain or shareware aren't. I think the biggest thing that can and must be done is education. Admins need it, users need it, and managers need it. Training users to check software before they run it, scan their drive periodically, and recognize early signs of infection is necessary. Training admins to check EVERY piece of software prior to installation, no matter how many layers of plastic it was (or wasn't) wrapped in, along with safe setups. Teaching management that this really is necessary, not just a waste of resources, and you really do need that many tapes for backups. Etc. > Floppy disks are almost untraceable since they carry *no* copy history, > *no* history of what machines they visited and almost no means of > identifying the offender. True. However, the person holding it can explain why they were running the software without checking it.... > Terry Ingoldsby ctycal!ingoldsb@calgary.UUCP > Land Information Services or > The City of Calgary ...{alberta,ubc-cs,utai}!calgary!ctycal!ingoldsb Incidentally, the stated reason for the do-not-discuss policy was to prevent stock price manipulation. I still disagree, I don't think a infection report would affect a stock price more than a few cents, if at all. I didn't win the argument, though. - -- Gary Heston { uunet!sci34hub!gary } System Mismanager SCI Technology, Inc. OEM Products Department (i.e., computers) "I think, therefore, !PANIC! illegal protected mode access attempt Memory fault: core dumped