|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T U
Length: 4613 (0x1205)
Types: TextFile
Notes: Uncompressed file
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦2e82dae65⟧ »./misc/psvirus.txt.Z«
└─⟦this⟧
From macuni!metro!munnari.oz.au!samsung!usc!elroy.jpl.nasa.gov!ncar!midway!msuinfo!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw Fri Oct 26 09:09:14 EST 1990
Article: 1671 of comp.virus
Path: macuni!metro!munnari.oz.au!samsung!usc!elroy.jpl.nasa.gov!ncar!midway!msuinfo!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal)
Newsgroups: comp.virus
Subject: Re: Alleged PostScript virus
Message-ID: <0001.9010171920.AA12825@ubu.cert.sei.cmu.edu>
Date: 15 Oct 90 03:21:54 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 79
Approved: krvw@sei.cmu.edu
Status: OR
bals@hyster.enet.dec.com (Fred Bals) writes:
> Recently both MacWorld and MacUser magazines have had short articles
> about a PostScript printer virus which apparently is a Trojan Horse
> hidden within some public domain clip art. According to the articles,
> the virus, when down-loaded into a PostScript printer, resets a chip
> password and renders the printer unusable.
Certain programs that depend on knowing the password won't run, but the
machine is not unusable.
> I took these articles with some grains of salt, since the phrases,
> "alleged," "supposedly," "appears to," is liberally used throughout
> both of them. Plus, I've not seen any comments from this group about
I think that indirectly I am responsible for this one. Many months ago,
I posted a message dealing with the possiblities of fonts, PS programs
etc. etc. that could be destructive. What I basically said, was that it
was quite possible for a font (since it is a program) or any other PS
program to do nasty things, like delete fonts from a hard disk (if your
printer supports a hard disk), reset the password on the printer, etc. etc.
I still know of no instance where any of this has ACTUALLY happened, tho
I have had several people contact me, and ask for help resurecting thier
lasers. I posted a routine a couple of months ago on this group that
would enable the reading of the password, regardless of what it was, so
that it could be reset. For a long time, I have offered a routine to
people who requested it on department letterhead (official stationary)
that allows the alteration of ANY byte in the EEPROM. It has the potential
to do a lot of damage. Eventualy, someone over in UK pointed out that
all one really had to do was to read the actual password, and then they
could reset it correctly. He published a bit of code, and subsequently
I modified my routines so that they return a map of the eeprom (a dump)
and return the current password. You can then change it using the normal
Postscript operators.
Ken was reluctant to publish the stuff (it was a CEXEC routine, because
it was a binary, but made the exception one time. I believe it should
be available in the digests). I am not going to post it again to this
group out of respect to Ken's opinions. Since it went out once, it is
in the archives. It has been posted in the Postcript group as well.
Once again, while it is quite possible that some clip-art or font
could be booby trapped with the machine language routine that allows
unlimited writing to the eeprom, and thus could reset the printer
password etc, etc. I have not really had any verification of it
actually happening. I do know of one individual that did some
experimentation in a controlled enviornment, and reported that indeed
it could be done.(this was in a private email message). This
particular individual is above reproach, and certainly hasn't allowed
what he did, out of his hands. At anyrate it was not a
self-replicating thing, just a simple trojan, to determine if the
threat was real. He subsequently sent me a nifty "vaccine" for the
problem, that Glenn Ried subsequently made a minor and useful
modification to.
In postscript you can re-define the operators. The "vaccine" simply
redifines the setpassword operator to do nothing. This won't stop the
machine language routine, but is rather effective for preventing
casual changes to the password. The default password is 0, as is
widely known, and if it is known, then it can be changed. If not, it
cannot be changed through normal postcript commands. Here is a simple
"vaccine"
/setpassword
{
/Helvetica findfont 20 scalefont setfont % create a font
100 100 moveto (Someone is trying to reset your password) show
pop pop %remove the to setpassword parameters
showpage
} bind def
Cheers
Woody
> Mail addresses:
>
> bals@hyster.dec.com bals@hyster.enet.dec.com
> UUCP: ...!decwrl!hyster.enet.dec.com!bals
> ARPA: bals%hyster.DEC@DECWRL.DEC.COM