[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Virus attacks on PGP

On Fri, 24 Nov 1995, Norman Hardy wrote:

> At 2:46 PM 11/24/95, Thomas E Zerucha wrote:
> ....
> >It takes quite an effort to create a complex virus to do this.  It
> >reminds me of the Glomar Challenger that was used to recover the remains
> >of a russian sub (my memory is somewhat faulty).  Such a virus would
> >require a great investment in time and money.  What target would be worth it?
> >Many otherwise feasible things aren't economically pracitcal.
> Yes, but if your particular habits became widespread, an intelligence
> agency could amortize the virus effort across many victims.
> Here is just one such complicated virus:
> Sit in the OS watching for PGP to be launched. Patch PGP on the way in. The
> patch writes to disk the location and password for the secure key ring.
> Concurrently the virus watches for there to be IP service and sends the
> disk information as a UDP.

The virus is starting to get large and noticeable.  First, I alternate 
between a.out and ELF (and DOS .EXE). It doesn't have to patch pgp, just 
look for it to be loaded and teh secring file accessed.  Then record 
keystrokes.  This would also work with a hardware implementation if the 
secring passphrase is external (as opposed to an external keypad).

This is what can be done when PGP is used for communication.  For other 
info, I can isolate a computer (no modem, unroutable IP addresses, etc).

Of course our firewall is a socks server and doesn't forward UDP.  Maybe 
a socksified, SSL virus?  My computer is attatched that way far more than 
via modem.  And maybe I should just nuke (or modularize) UDP?  You can do 
interesting things with kernel source.

> Alternatively the virus waits for idle time, (screen saver time) and dials
> an 800 number having turned off the modem speaker. But don't send the same
> data twice!

That woudl be interesting - even with the speaker "off" the power surge 
causes clicking and other signs.  Not to mention that the interrupt count 
would start moving (of course the virus could replace the entire OS and 
would only have to find 300K chunks to hide in).

Were they that interested, they could place a surveillence device over my 
desk (I don't know if they can pick up the scan on LCDs like they can on 
monitors - I am suprised they didn't put the kybosh to the FCC emission 
rules).  Maybe I can move my desk, or my pgp station inside our EMI 
testing faraday cage :).

[email protected] -or- 2015509 on MCI Mail
  finger [email protected] for PGP key