Analysis: Gulf War Printer Virus (Winter, 1991 1992) ---------------------------------------------------- By Anonymous I work closely with the technical aspects of the operating system on IBM mainframes so I followed with some interest the accounts of the "Gulf War Virus." (News organizations in January 1992 reported the story of a computer virus introduced into an Iraqi air defense system via a printer.) My first reaction was one of amazement that the National Security Agency had pulled off such a stunt. But when I thought about it further it began to seem less and less reasonable and more and more likely that the whole thing was a piece of "disinformation." There are three ways that the printer might have been attached to the mainframe: (1) Channel attached. If it was channel-attached then there is virtually no way that it could initiate an action that would cause the modification of software on the mainframe. A printer is an output device. It can only tell the computer stuff like, "I finished printing a line," "I have a jam," etc. It does this through very simple codes; (2) Attached to a network; or (3) Attached remotely....(2) and (3) are similar in terms of requirements. If it were attached in one of these two ways then it is at least conceivable that, with an enormous effort, it could transform itself from a print server into something capable of initiating input into the mainframe. This would involve a lot of "fooling the system." Once it had transformed itself it would have to fool the mainframe again into considering it a legitimate user who had the proper security to either initiate batch jobs or work interactively. Once it had done that it would have to know the name of the library where the CRT software resided and the name of the module that controlled the CRTs. It would have to convince the security system that it should be allowed to access this library. Once it had done that it could then make the very subtle change indicated in the article that would only go into effect under special circumstances. (A subtle change like that would be more difficult than a gross change that would, for example, simply bring down the entire system.) And, all of this incredible coding would, presumably, be done in the 1k or 2k that is available in a ROM chip! Now consider what I think is more likely: First you have to ask yourself, "Why would the NSA tell this story? If they could really do something neat like this, why wouldn t they keep it a secret to use again in the future?" I can only imagine two reasons that they might tell such a story: (1) There is an Iraqi computer insider who they are trying to protect (the guy who really did the deed) by diverting attention; (2) The software (like most of the Iraqi equipment) probably came from a Western country. The company that created the CRT software might well have left a "logic bomb" in the software in case Saddam pulled a stunt like he pulled. The company probably does not want it to be known that they leave such bombs in their software, so the NSA wants, again, to protect them and divert attention. I think that the disinformation theory gains some credibility from the information that is presented in the stories that are circulating. We are told almost nothing about the technical details but we are told everything about the printer. How it came in, where it came from, the approximate timeframe, everything but the serial number. I suspect that when the Iraqis read the story and open up the printer there will probably be color-coded chips there stamped "NSA." As if mainframe security people don t have enough to worry about, I imagine that for the next 20 years they will have to answer questions about the possibility of introducing a virus into the mainframe from the least likely source: a printer.