Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: kelly@uts.amdahl.com (Kelly Goen) Newsgroups: comp.virus Subject: Re: Virus Trends (and FAXes on PCs) Message-ID: <0009.9001081228.AA09399@ge.sei.cmu.edu> Date: 5 Jan 90 20:07:02 GMT Sender: Virus Discussion List Lines: 49 Approved: krvw@sei.cmu.edu ras@rayssdb.ssd.ray.com (Ralph A. Shaw) writes: >Nagle@cup.portal.com says: > >> - A FAX message is a bitstream interpreted by an interpreter at >> the receving end. Could it be induced to do something interesting >> through the use of illegal bit patterns? Group III is probably too >> simple to be attacked, but group IV? Imagine a message which >> causes a FAX machine to send an extra copy of transmitted documents >> to another location. > >Something that has come to the attention of security paranoids here >lately is that some manufacturers of PC FAX boards have added a >feature that allows the FAX modem to be used as a bisync modem to >communicate with the PC directly, rather than transmitting just FAXes. > >I assume the PC would have to be running some software to enable it >and reassign the console (requiring local intervention), but a >networked PC could then prove to be a leak onto the corporate network, >(or at least, for handy distribution of the Trojan-of-the-month program). >Added to this is the promise that at least one FAXboard vendor >promises that both async and bisync modem capability will be available >in the future. - -I would have clipped more of this but this is a complex subject that merited serious consideration unlike the infamous modem virus scare of 1988.... actually while a receiving process has to be available on the machine to be infected(i.e. either the legitimate file transfer program or a masquerading process using this as a means to load further extensions of itself)...the important point to remember here is that g-3 and g-4 fax formats are from what some of techs have told me on alt.fax are internally, modified dialects of HDLC so in this case it is possible that a sufficiently sophisticated infectious process could use this as a pipeline to load further updates to code... (i.e. new ways to defeat anti-viral nostrums) I will post ISBN numbers on the protocol definitions when they finally arrive...as to whether this is a probable scenario... who knows cheers kelly p.s. AS I dont want to cause anyone unecessary worry let me remind all once again that a receiving process HAS to be on the receiving machine if it is not the legitimate File XFER program then it is illegitimate in any case....the point that I am trying to clarify that while an infectious process could use this as a conduit to an ALREADY EXISTING infected host... unless there is a way to force execution of the received code then your virus will lay dormant(i.e.nonexecutable) because of some fax type file extension on msdos...typically something like .FAX .PIC .PCX etc....get the picture??? on *nix type systems the problems faced by the theoretical COMPUTER/FAX-MODEM infectious process are simpler in some ways but require even more cooperation from receiving processes...