close this bookTidBITS#14   19900723
View the documentBits On PostScript
View the documentEhman Screen Real Estate
View the documentPostScript Trojan
View the documentReviews/23-Jul-90
View the documentFoot Notes

PostScript Trojan

There has been discussion on Usenet recently of a new trojan horse that is a bit different from the usual sort. Most trojan horses are fairly simple minded in that they try to erase files or entire hard disks, which has become tediously obnoxious. This new trojan, which has yet to be named, lives in certain PICT files and if you print these PICT files on a PostScript printer, the trojan is downloaded to the printer and executed. It changes the PostScript password in the laser printer to a random number, thus preventing you from using the printer. This is normally disastrous, because there are 65,536 possible passwords (it's an integer) and you might have to try each one of them to set the password back to the default of 0. This is because you have to know the old password to set a new one. The PostScript language can do this automatically, of course, but rough estimates forecast the time it would take to be over three weeks of continuous checking. Not my idea of a fun month.

Luckily, someone came up with an ingenious PostScript program which resets the password to 0. You must have a program such as SendPS (free from Adobe) to send the code to the printer.

If you're wondering why PostScript bothers with passwords at all when it defaults to 0, you do so justly. Adobe's Red Book says that the password is included so system administrators can keep unauthorized people from changing any other (pseudo) permanent states of the laser. For this to work with the Mac, you have to change all versions of the LaserWriter (or possibly LaserPrep) file that are used with the printer to recognize the new password, which is a hassle. Don't do this unless you consider yourself a minor PostScript deity and like using ResEdit as well. It might be best not to have a password at all if it is set to a default in most printers. Unused passwords lead to trouble, as it has done here.

Are you wondering what the alternative is if you can't afford a month of downtime for your Mac and printer or can't get a copy of the code to reset the password? One person said that his EEPROMs were somehow reset during a ferocious lightning storm, but it's hard to fly a laser printer on a kite like Benjamin Franklin's famous key. Remaining dry and on the ground, you can either reset the password by taking out one of the EEPROMs in the printer (our source didn't know exactly which one) and risk destroying things or you can go to your friendly local dealer and purchase new EEPROMs for about $150. Neither is a good option. However, the code to reset the password and the SendPS program should be readily available for anonymous FTP on the nets at sumex-aim.stanford.edu and rascal.ics.utexas.edu, and if not, I will personally make sure they are on the Memory Alpha BBS (607/257-5822) in Ithaca, NY. Memory Alpha sports a full line of anti-virus tools and all are welcome. We'll include an update next week in TidBITS if we find out which PICTs carry the evil code and what the trojan will be called.

In light of all the safe sex campaigning, wouldn't it be ironic if even ogling a few lewd PICTs required that you protect yourself? Ah, cruel, cruel world.

Information from:
Doug Davenport -- SNAP Technologies, Ithaca, NY
Adam C. Engst -- TidBITS Editor
Chris Johnson -- chrisj@emx.utexas.edu
Werner Uhrig -- werner@cs.utexas.edu
Michael Newbery -- newbery@rata.vuw.ac.nz
Casper H.S. Dik -- casper@fwi.uva.nl
Mike Blackwell -- mkb@rover.ri.cmu.edu
Steve Liget -- stevel@eleazar.dartmouth.edu