Copy Link
Add to Bookmark
Report
NuKE Issue 08-007
-----BEGIN PGP SIGNED MESSAGE-----
NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_N
uK Nu
KE "F_Prot AntiVirus Exploit NuKE to Promote" uK
E_ "Their Product Ahead of McAfee's" KE
_N by E_
Nu Rock Steady _N
uK Nu
KE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuKE_NuK
NuKE Info-Journal #8
April 1994
About this time last year, we release the NuKE Info-Journal #5, on March 13,
1993, to be exact. Inside that Info-Journal we had a little feature article
that got a great response from almost everyone, around the globe. That
article
was basically "McAfee's VirusScan Complete Scan Strings". Yes, we removed all
the 'Scan Strings' inside McAfee's Scan product, and published them in the
IJ #5. But what happened next was somewhat a shock, that I honestly could
say, I did not expect.
Since then, if you followed up on Patty Hoffman's VSUM, we noticed that
McAfee's VirusScan always rated #1. And FPROT and Dr. Solomon's AntiVirus
lagged far behind. And why not? Patty and McAfee have always been known to
'Pat each other on the back'. It wasn't a fair deal anyway? Besides, if a
North American virus problem occurred, who would we call for help? Naturally
McAfee would be the one, because he has the advantage of location. Those
products such as Dr. Solomon or FPROT, are somewhat isolated from the
problem, and would not be able to help unless that virus became widespread.
You see location plays a great deal in the Anti-Virus community, that is why
today you have hundreds of FPROT and Solomon 'followers' up our asses, in our
BBSes, in our life, etc... (RAID Help Us!!!)
So how can you, being an oversea's AntiVirus vendor, compete in a north
american market? Naturally you CHEAT! You step on whomever and whatever
hoping no copyright sued gets slapped on your face. But what are we stealing
here? Corporate Secrets? Patented Algorithms? No, we are stealing virus
signatures! And why not? Those cannot be subjected to the copyright laws!
Naturally speaking, whom can claim ownership on a virus, but the virus maker
himself. Nobody, so the 'Scan Strings' being used to detect certain viruses
cannot be subjected to Copyright laws because those series of bytes belong
to the virus, that is not owned by the AntiVirus vendor.
So on looking through Patty Hoffman's VSUM, I noticed a change in the June
1993 issue of VSUM. And for the VERY FIRST time FPROT was the #1 virus
scanner! And scan was #2, and Dr. Solomon was right behind. And if we looked
at prior issues of VSUM we would have noticed a big lead by McAfee over these
two products (FPROT & DR SOLOMON).
It lead me to think, since the timing was right, that Frisk & Solomon made
use of the extracted strings that we at NuKE published in IJ #5. So I took
out my nifty SoftIce package, and pulled apart F-Prot, and inside I noticed
some very _weird_ rubbish. I noticed about 50 or so, Scan Strings with no
certain virus ID name on it. It had a message somewhat like;
"We have found an unknown virus, please sent a copy to FProt for analysis."
This wasn't a heuristic warning, but a warning message that come up when
FProt found one of these 50 or so Scan Strings. I took down the Scan String
and verified them against the McAfee Scan list we published a couple months
earlier, in IJ #5.
Guess what happened next? Yup, these series of scan strings were strings
removed from that list, and put into FProt! I then went searching for a copy
of FProt that was released _before_ the IJ #5 came out, and guess what? Those
50 Scan Strings were not there!
I came to the final conclusion that Fprot & Solomon _must_ have made use of
those McAfee Scan Strings, no other explanation was possible. So I took the
last step in finalizing my conclusion, and we asked the horses mouth. No not
Aristotle, but Frisk maker of FProt.
So I emailed him, and this is the reply I got.
---
> also since the public removal of the SCAN STRINGS that where in McAfee, i
> notice that your & alan's package have jumped-up in detection rates in
> vsum! i have seen MANY exact signatures in f-prot that were equal to
> mcafees, but were only added since we made the removal of mcafee's
> strings...
Right - I added 25 search strings, where I did not have the virus. Once I
get the virus, I remove the string, and replace it with two strings I select
in a different way. However, if my scanner ever encounters one of those
strings it will just report an unknown virus.
---
When asked about 'Copyright Laws' if Frisk was worried about a possible sued
from McAfee, he replied the following;
---
individual strings can not be copyrighted - but collections of them can.
That is why many anti-virus products have scan strings for non-existing
viruses in their database. This is also why VSUM deliberately describes
one or two non-existing viruses....simply to be able to prove if somebody
"ripped off" the whole list for use in another product. Simply publishing
the search strings would not, I guess, be illegal, though..
---
Well that somewhat concludes my article, on this topic. I have no interest
trying to find those 'non-existing' viruses Frisk describes. Maybe that
would also be a great read. But it is interesting, that people like Frisk
(the AV) try to influence the public view over people like us, Intelligent
Computer Hackers, into making us 'bad'. I perhaps am not one to talk about
us not being 'bad', as I got a record that says otherwise. Okay, I can live
with that, but I'm also saying that no matter how 'bad' you think I am, the
opposing side is exactly the same! If not worst.
I personally don't think anyone is pure at heart, so lets not compare, even
though it is _alot_ easier to condone 'hackers'. But the _true_ Hacker is
not a criminal, but simply one whom is extremely motivated in learning the
insides of a computer, and nothing will stop him from mastering it. So try
to separate the true Hackers from Hackers whom are leachers.
Thank you
Rock Steady
-----BEGIN PGP SIGNATURE-----
Version: 2.2
iQCVAgUBLfml1U0EOTLgG0HDAQEgZAQAnDUvSgi8BzbYvJwiCBTSZz/0gv10McJS
p+RiMuNX7wLlw9tDJxXf5Q9eiyguvFkXJFy9ZIytEbs67W7urd8qOM5zDDkvgoPc
cL0ZDesZRbUxCHxvIryKYIWKelz2YYGH1ofUi9fKHOpt9v0BJo3Dkx647yGtvUWb
l26RFtwRu7M=
=5jqn
-----END PGP SIGNATURE-----
