[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Virus attacks on PGP
On Fri, 24 Nov 1995, Norman Hardy wrote:
> At 2:46 PM 11/24/95, Thomas E Zerucha wrote:
> >It takes quite an effort to create a complex virus to do this. It
> >reminds me of the Glomar Challenger that was used to recover the remains
> >of a russian sub (my memory is somewhat faulty). Such a virus would
> >require a great investment in time and money. What target would be worth it?
> >Many otherwise feasible things aren't economically pracitcal.
> Yes, but if your particular habits became widespread, an intelligence
> agency could amortize the virus effort across many victims.
> Here is just one such complicated virus:
> Sit in the OS watching for PGP to be launched. Patch PGP on the way in. The
> patch writes to disk the location and password for the secure key ring.
> Concurrently the virus watches for there to be IP service and sends the
> disk information as a UDP.
The virus is starting to get large and noticeable. First, I alternate
between a.out and ELF (and DOS .EXE). It doesn't have to patch pgp, just
look for it to be loaded and teh secring file accessed. Then record
keystrokes. This would also work with a hardware implementation if the
secring passphrase is external (as opposed to an external keypad).
This is what can be done when PGP is used for communication. For other
info, I can isolate a computer (no modem, unroutable IP addresses, etc).
Of course our firewall is a socks server and doesn't forward UDP. Maybe
a socksified, SSL virus? My computer is attatched that way far more than
via modem. And maybe I should just nuke (or modularize) UDP? You can do
interesting things with kernel source.
> Alternatively the virus waits for idle time, (screen saver time) and dials
> an 800 number having turned off the modem speaker. But don't send the same
> data twice!
That woudl be interesting - even with the speaker "off" the power surge
causes clicking and other signs. Not to mention that the interrupt count
would start moving (of course the virus could replace the entire OS and
would only have to find 300K chunks to hide in).
Were they that interested, they could place a surveillence device over my
desk (I don't know if they can pick up the scan on LCDs like they can on
monitors - I am suprised they didn't put the kybosh to the FCC emission
rules). Maybe I can move my desk, or my pgp station inside our EMI
testing faraday cage :).
[email protected] -or- 2015509 on MCI Mail
finger [email protected] for PGP key