Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: vancleef@iastate.edu (Van Cleef Henry H) Newsgroups: comp.virus Subject: Unix viruses and damaging programs (UNIX) Message-ID: <0003.9104051408.AA00913@ubu.cert.sei.cmu.edu> Date: 3 Apr 91 21:10:57 GMT Sender: Virus Discussion List Lines: 45 Approved: krvw@sei.cmu.edu I have been asked to consider the possibility of virus, trojan horse, etc. attacks on a distributed Unix fileserver system. My role with Iowa State is as a consultant--Unix is new here, and the system we are building, known as "Vincent," while not new in concept, is new in many details of its implementation. My credentials may be verified with Dr. George Strawn, director, and George Covert, associate director, of the Iowa State Computation Center. My study begins with some assumptions, which I should state here. a. That MS-Dos viruses (is this an all-encompassing term for things that tamper with and destroy the OS and programs?) have conceptual parallels in the Unix o/s. i.e. the kernel is equivalent to COMMAND.COM, the file system superblock is equivalent to the FAT, etc. b. That all "security" to read and write as a superuser has already been breached and that this breach has gone undetected. c. That one workstation with a bootable hard disk is accessible to the individual planning to damage the system. d. That the individual is sufficiently sophisticated to avoid leaving obvious clues (file sizes, dates, etc.). e. We should consider that the individual may have access to the o/s source code. I am particularly interested in comments about: a. Known attacks on Unix o/s involving tampering with the o/s kernel and commands. b. Methodes for checking integrity of these. c. Methods for damage control to prevent propogation throughout the net. The purpose in making this post is to establish contact with others working with similar issues. Iowa State is not presently prepared to quarantine or work with actual "virus" code. Our concern is to plan for dealing with attacks of this nature when, as, and if they appear. (Since they are not in my signature file) Henry van Cleef 219 Durham Center, Iowa State Univ. 515-294-2903 (voice)