Analysis: Gulf War Printer Virus (Winter, 1991 1992)
----------------------------------------------------
By Anonymous

I work closely with the technical aspects of the operating system on IBM
mainframes so I followed with some interest the accounts of the "Gulf War
Virus." (News organizations in January 1992 reported the story of a computer
virus introduced into an Iraqi air defense system via a printer.) My first
reaction was one of amazement that the National Security Agency had pulled off
such a stunt. But when I thought about it further it began to seem less and
less reasonable and more and more likely that the whole thing was a piece of
"disinformation."

There are three ways that the printer might have been attached to the
mainframe: (1) Channel attached. If it was channel-attached then there is
virtually no way that it could initiate an action that would cause the
modification of software on the mainframe. A printer is an output device. It
can only tell the computer stuff like, "I finished printing a line," "I have a
jam," etc. It does this through very simple codes; (2) Attached
to a network; or (3) Attached remotely....(2) and (3) are similar in terms of
requirements. If it were attached in one of these two ways then it is at least
conceivable that, with an enormous effort, it could transform itself from a
print server into something capable of initiating input into the mainframe.
This would involve a lot of "fooling the system." Once it had transformed
itself it would have to fool the mainframe again into considering it a
legitimate user who had the proper security to either initiate batch jobs or
work interactively. Once it had done that it would have to know the name of the
library where the CRT software resided and the name of the module that
controlled the CRTs. It would have to convince the security system that it
should be allowed to access this library. Once it had done that it could then
make the very subtle change indicated in the article that would only go into
effect under special circumstances. (A subtle change like that would be more
difficult than a gross change that would, for example, simply bring down the
entire system.) And, all of this incredible coding would, presumably, be done
in the 1k or 2k that is available in a ROM chip!

Now consider what I think is more likely: First you have to ask yourself, "Why
would the NSA tell this story? If they could really do something neat like
this, why wouldn t they keep it a secret to use again in the future?" I can
only imagine two reasons that they might tell such a story: (1) There is an
Iraqi computer insider who they are trying to protect (the guy who really did
the deed) by diverting attention; (2) The software (like most of the Iraqi
equipment) probably came from a Western country. The company that created the
CRT software might well have left a "logic bomb" in the software in case Saddam
pulled a stunt like he pulled. The company probably does not want it to be
known that they leave such bombs in their software, so the NSA wants, again, to
protect them and divert attention.

I think that the disinformation theory gains some credibility from the
information that is presented in the stories that are circulating. We are told
almost nothing about the technical details but we are told everything about the
printer. How it came in, where it came from, the approximate timeframe,
everything but the serial number. I suspect that when the Iraqis read the story
and open up the printer there will probably be color-coded chips there stamped
"NSA."

As if mainframe security people don t have enough to worry about, I imagine
that for the next 20 years they will have to answer questions about the
possibility of introducing a virus into the mainframe from the least likely
source: a printer.