[1] From: "James K. Tauber" <jtauber@tartarus.uwa.edu.au> (161)
Subject: Virus is a Hoax
[2] From: Andrew Burday <andy@dep.philo.mcgill.ca> (83)
Subject: Re: 9.350 Internet virus
[The following two messages are only the first two of many helpful notes
I received, all instructing me that Good Times IS A HOAX! One person
castigated me for perpetuating the hoax. Our local UNIX expert here
simply didn't answer my message in which I asked him about Good Times, so
great must have been his impatience with me for asking such a silly
question. So, we are now all charged to stamp out this rumour. Perhaps,
as one person pointed out, it is the ultimate virus, though someone who
had just been infected with the hard-disk-destroying kind might not
agree. --WM]
--[1]------------------------------------------------------------------
Date: Mon, 4 Dec 1995 01:42:36 +0800 (WST)
From: "James K. Tauber" <jtauber@tartarus.uwa.edu.au>
Subject: Virus is a Hoax
> PCERT Advisory
> (Purdue Computer Emergency Response Team, <pcert@cs.purdue.edu>)
> "Good Times" Virus Hoax Circulating Again
> April 24, 1995
>
> Summary
> --------
> The "Good Times" virus warnings are a hoax. People are circulating the
> warnings without verifying the information contained therein, thus
> leading to unnecessary worry and concern. Please do not circulate the
> "Good Times" warnings further. Please send this advisory on to anyone
> who has mailed you such an advisory.
>
> In this advisory:
> Summary
> Background
> More Recently
> What you can do
> Additional Discussion
> More Information
> Contact information for FIRST
>
> Background
> -----------
> In early December 1994, a mail message was circulated in several mailing
> lists and bulletin boards warning of a "Good Times" virus. This "virus"
> was allegedly being circulated in e-mail on bulletin boards and several
> commercial services. The report stated that simply reading the message
> in a mail reader would cause it to activate, causing various forms of
> damage. Some versions of the message cite the FCC and/or America
> On-Line as authoritative sources of warnings about "Good Times." A
> related "virus" is sometimes also reported, alleged to have the string
> "xxx-1" (or similar) in the subject.
>
> Several of the FIRST teams, including the Department of Energy's CIAC
> and Purdue's PCERT, responded by posting advisories stating that this
> report appeared to be a hoax. Actually, the hoax posting was allegedly
> traced to a student at a college in the northeast U.S. who had made the
> whole thing up as a prank that got somewhat out of hand. In the time
> since that first posting, none of the response teams has reported any
> credible sighting of such a virus. (It is possible, in some very
> specialized, very rare circumstances, that e-mail might contain a
> destructive sequence or characters, but this is highly unlikely, and NOT
> the case in this instance. Some further details are given in the
> "additional discussion" below. We repeat, this is NOT the case in
> regards to "Good Times.")
>
> More Recently
> --------------
> In the past few weeks, we have received e-mail and phone calls from a
> number of people who have seen new instances of "warnings" about the
> "virus." It seems that many people did not see the original series of
> postings, or forgot the earlier advisories. It is also an unfortunate
> reality that many people will forward on warnings, even if of
> questionable technical merit, without making an attempt to verify them
> with an authoritative source. This leads to worry and further copies
> as the warnings spread.
>
> Please DO NOT repost warnings or reports of the "Good Times" virus! It
> is important that we try to stop the spread of the false and potentially
> damaging warning about "Good Times." It is in the same class of rumors
> and out-dated information as other urban legends such as the "Craig
> Shergold" (requests to send postcards/business cards to a dying boy)
> rumor. These stories continue to keep appearing and disturbing people as
> time goes on.
>
> What you can do
> ----------------
> * If you have received a warning about "Good Times" then send this
> advisory to everyone you know who received that warning. To ensure
> that it is read, DO NOT put the phrase "Good Times" in the subject
> line. We suspect that some people never saw the original advisories
> because they set their mailers to automatically delete mail with those
> words in the subject line.
>
> * Save this advisory. If you receive a warning about "Good Times"
> anytime in the future, simply send a copy of this advisory back to
> whomever it is who sends you the warning.
>
> * If you ever get a warning like this, or similarly get a warning or
> notice of some widespread problem with computers, VERIFY it with
> credible sources before passing it on. Rumors, especially when spread
> by well-meaning individuals, can cause significant panic and damage.
> FIRST response teams (FIRST == Forum of Incident Response and Security
> Teams) will be more than willing to respond with definitive information
> to a query on these topics; it is one of their missions. We are
> enclosing a copy of the list in this advisory, current as of April 24,
> 1995.
>
> * We also note the possibility that someone is using this as a
> precursor to a real attack. That is, someone is repeatedly circulating
> the "Good Times" rumor to condition people to believing there is no
> danger, and will then circulate some damaging code under that name. To
> that end, if you ever get any mail labelled "Good Times" that is in some
> way executable (i.e., is a program or command file), DO NOT run it!
> Instead, contact your appropriate FIRST team for assistance and
> analysis. Again, we stress that we view this possibility as very, very
> unlikely.
>
> Additional Discussion
> ----------------------
> Informally, a computer virus is code that, when executed, causes some
> action to occur, including some form of reproduction of the virus. In
> a similar manner, a "Trojan Horse" program is code that when executed
> has some unexpected (and usually unwanted effect). What is important
> to note here is that the virus and trojan horse code must be
> *executed* in some way to have an effect. That is, it must be run as a
> program, or passed as instructions to some interpreter program.
>
> When e-mail arrives at a system and is read by the user, it is seldom
> "executed" by anything that could damage the system, let alone
> reproduce the code itself. There are only two general exceptions to
> this for systems in wide-spread use, to our knowledge:
>
> 1) On a MS-DOS PC-based system with an ANSI.SYS driver, it is possible
> that a carefully-crafted control code sequence could execute some
> unwanted actions. This would only work if the mail was displayed in
> text mode (not in a window or specialized application). However, there
> are three good reasons to believe that this would never act to spread a
> virus:
> * First, the necessary control characters would be unlikely to pass
> through various mail gateways and forwarders without modification.
> Any change would render the sequence inoperable.
> * To spread effectively, the code would need to be written such that
> it would use pathnames and code present on almost every machine
> where received, including ANSI.SYS MS-DOS machines are seldom so
> predictable!
> * Any such change would only map one or more keys to a damaging
> command; the user would have to press a certain key (or sequence)
> to actually trigger the damage. This involves more than simply
> reading a mail message!
>
> 2) On systems using MIME-capable mailers (or similar), it is possible
> that a message could be crafted that would trigger an external agent on
> the receiving machine to do harm. For example, it might be possible
> to embed commands in a PostScript file that would cause a PostScript
> interpreter to modify files. For this to succeed, it requires that
> users automatically execute those applications upon receipt of
> appropriate mail, and that those applications have enabled operations
> that might unduly affect the system. Again, this does not seem to be a
> viable way to spread a virus.
>
> Note that we are not claiming that a harmful agent cannot be distributed
> in mail. To the contrary, the "Good Times" message *is* damaging -- as a
> rumor! It is also possible to circulate code that, if executed by an
> unwary user, could cause damage. However, the possibility is effectively
> nil of a virus being constructed that will circulate via e-mail, affect
> any of several dozens of operating systems when run through any of
> scores of different mail agents, and launch by being listed to the
> screen.
>
> More Information
> -----------------
> Further discussion of this rumor may be found in the following CIAC
> Notes, available via WWW:
> http://ciac.llnl.gov/ciac/notes/Notes04c.shtml
> http://ciac.llnl.gov/ciac/notes/Notes05d.shtml
> http://ciac.llnl.gov/ciac/notes/Notes09.shtml
> or via ftp:
> ftp://ciac.llnl.gov/pub/ciac/notes/notes04c.txt
> ftp://ciac.llnl.gov/pub/ciac/notes/notes05d.txt
> ftp://ciac.llnl.gov/pub/ciac/notes/notes09.txt
--[2]------------------------------------------------------------------
Date: Sun, 3 Dec 1995 14:09:15 -0500 (EST)
From: Andrew Burday <andy@dep.philo.mcgill.ca>
Subject: Re: 9.350 Internet virus
The "Good Times" virus is a hoax. See
ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
for details. You might also want to have a look at
http://www.cathouse.org/UrbanLegends
which includes an htmlized version of the FAQ for the newgroup
alt.folklore.urban. Some of the material is quite amusing. The FAQ
mentions the Good Times hoax, among many other topics.
As for the general question, the crucial thing about a virus (or trojan
horse or worm -- I'm not going to worry about these distinctions for
present purposes) is that it has to get itself executed. It's not good
enough for it to get itself loaded into memory as data. One of the
crucial functions of an operating system is to keep track of which areas
of memory contain code and which contain data. An OS that can't do that
reliably won't even get to the point where anyone writes viruses for it.
It is sometimes said, on that basis, that it is flatly impossible to use
email to distribute a virus -- at least in the sense of distributing a
virus that will be executed without the user's voluntarily executing it.
I'm not perfectly certain that's true, but email is certainly at worst a
very improbable source of viruses.
The rest of this note is more or less speculative -- I'm a philosopher,
not a software engineer. I'd be happy to be corrected on some of the
issues, especially on the question of how uudecode works. On the other
hand, if you don't understand what follows, then for your purposes it's
impossible to get a virus by reading email. I don't want users who know
even less than I do to be misled into accepting legends as truth by my
semi-informed speculation.
If you really know what you're doing, you can sometimes force information
that should have been treated as data to be treated as code. This sort of
maneuver was the basis of one of the holes exploited by the 1988 Internet
worm and was also the basis of the security hole in versions of ncsa httpd
prior to 1.4. However, I have never heard of its being used against any
kind of program except an Internet service daemon, and I doubt very much
that it could be used against ordinary email user agents.
Also, as scripting languages get more tightly integrated into ordinary
programs, the line between data and code gets fuzzier, at least from the
ordinary user's point of view. A recent case is the use of Word Basic to
execute a virus which was distributed as a Microsoft Word template.
Again, though, I don't know of any email program with such a tightly
integrated scripting language; and I can't imagine anyone writing an
email program which allowed scripts to be executed without the user's
awareness, for just this reason.
I have heard it claimed that some encoding/decoding programs, such as
uudecode, are actually command interpreters which could be exploited by
virus writers. I don't know if that's true, but if it is it could be a
problem for people who send and receive binary files by Internet email.
Some email programs will start decoders without consulting the user, and
that could be a problem if what's being "decoded" is actually a program
that could do harm. Again, I've never heard of this being used for any
nastiness and I'm not even sure it's possible. (Anyone know for sure?
Again, I'm talking about tar, compress, uudecode, and so on, *not*
self-extracting shell archives.)
Apparently postscript, which is an interpreted programming language, can
be exploited this way. If you have a Postscript interpreter running on
your machine (e.g. you use NextStep or Solaris or Ghostscript/GSView),
this is something to be aware of. Merely having a postscript printer,
however, is not a problem. And no email program includes a PS
interpreter.
It will be interesting to see what happens with the Java WWW scripting
language in this regard. Java is a language which lets WWW providers
write scripts that your browser will download and automatically execute.
It's used to include animation and other effects in web pages. Java was
developed by Sun and is, I think, going to be built into a future version
of Netscape. Sun claims that Java cannot be used maliciously. I sure do
hope so. I also wonder about the possibilities for crummy programmers to
just make a mess with it, without malicious intent. But this has nothing
to do with email.
So if you want to be rather paranoid, you can refuse to accept encoded
binary files in email unless they come from someone you know and trust.
Who knows: perhaps some day you'll be happy you did, although in the end
you're more likely to have caused a nuisance for yourself and others for
nothing. But other than that, it's all but impossible to see how someone
could distribute a virus by Internet email.
Of course, if someone sends you a piece of software by encoded email, and
you decode and *voluntarily* execute it, all bets are off! But the point
is that it would be all but impossible (perhaps genuinely impossible) to
write a virus that can infect your system simply by being read.
Best,
Andrew Burday
********************************************************************
Long is the path, and hard is the good; but at least we don't take
wooden nickles. Jerry Fodor.
--------------------------------------------------------------------
andy@philo.mcgill.ca http://www.philo.mcgill.ca/
********************************************************************