VULNERABILITIES MEETING
April 26, 1999
4:00 – 5:00pm
3085 ENG II

In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Keith Herold (KH), Lauren and Charlie

TOPICS

  1. Symbolic Links
  2. Melissa Virus
  3. Dissecting Melissa
  4. How do you stop a virus like Melissa?
  5. Other virus and/or Hoaxes
  6. How do you register software code in practice?


Next Meeting Topics

  1. Symbolic Links
    1. In progress
  2. Melissa Virus
    1. Question of scale, target
    2. Ethics of allowing virus to be downloadable off the internet.
      1. Three of the largest anti-virus groups have a policy regarding release of virus code
        1. They can't publish any part of a virus or the virus itself
        2. Exchange…
        3. Ostracize people who publish the code.
  3. Dissecting Melissa
    1. Checks to keys in registries
    2. Looks to see if Melissa is already installed
    3. Looks for Microsoft Outlook
    4. Disconnects, installs Melissa key - appears to work only once on system
    5. Infection phase - template and active documents
    6. Infects every open document with a macro
  4. How do you stop a virus like Melissa?
    1. Disable macros
    2. Create sandbox around virus
    3. Password protect macros
    4. Do not allow macros to alter other macros (Karger's scheme) - should work for Word, not for Excel?
      1. TA: Makes it more difficult, but still possible. Must create file from scratch or rename it.
    5. Integrity checking
      1. List of allowed macros
      2. Modify macro with another macro
  5. Other Virus and/or Hoaxes
    1. Other hoaxes
      1. ZD net hoax - PC has built in microphones that are always on. If you are connected to the internet, they could theoretically record what you say.
      2. Similar problems with camera that can't be disconnected.
    2. FrameMaker
      1. Competitor name "Interleaf" changed to "FrameMaker"
    3. Adobe Acrobat 4.0
      1. Anti-virus company claimed there was a virus on the distribution disk - later proved false.
      2. There was a sequence code that matched a known virus signature
  6. How do you register software code in practice?
    1. Can't install any software
    2. Have a separate production and installation mode (Separation of duty principle)
    3. Work in a controlled environment
    4. Ultimately, you rely on the user to know the machine
      1. Problems with installing software from the browser.
  7. Next Meeting Topics
    1. State of the Vulnerabilities Database
    2. Signatures of Vulnerabilities/Attack Tools
      1. Language to represent signature of attack tools
      2. Look at similarities with CIDF