denbeste@bbn.com (Steven Den Beste) (02/25/89)
There exist clock chips which in addition to providing time of day and such like, also have a certain amount of non-volatile memory preserved by the same battery which powers the clock. There was a discussion here last year about whether a virus could hide in such memory. The answer is "No". The reason is: Clock NVM is not memory mapped. The Processor cannot execute out of it. To access it, the processor loads the NVM address it wishes to reach into a clock chip register, then accesses its value through another register. This cannot happen in execution - it takes several instructions to access each nybble. (Note that the clock NVM is 4 bits wide.) [Just to make sure everything is clear: For EVERY clock NVM location the address is written into the SAME clock chip register, and then the value is read out of the SAME other clock chip register.] Sooo, here's the dreaded clock-virus running in memory on a new machine, and it loads itself into the Clock NVM. The user powers the machine down, but the fiendish virus lives on, powered by the battery. Skulking in the hardware, it never appears on the disk where it can be seen. Hoo hoo hah hah hah! (a fiendish laugh, in case you hadn't noticed.) Later the user powers the machine back on again. HOW'S THE VIRUS GETTING BACK OUT OF THE CLOCK NVM TO DO ANY HARM, OR ANYTHING ELSE FOR THAT MATTER? Answer: it needs something changed in the boot sequence of the system disk, JUST LIKE ANY OTHER VIRUS. This 'something' would then load things back out of the NVM into normal RAM so they could be copied. In other words, a clock virus, if such a thing exists, must leave part of itself on the system disk, and can therefore be detected and countered just like any of the other virus. Note that the 'something' on the disk can't assume that the clock NVM contains the right things - it may be coming up for the first time on a new machine. SO: 1. A "clock virus" must keep part of itself on the system disk - at least enough to read things out of the NVM on bootup. 2. A "clock virus" must keep ALL THE REST of itself on the system disk, too, so it can infect a new machine. 3. There is therefore virtually nothing of interest that it is worth putting in the Clock NVM, since it must be on the disk also. 4. Not all amigas have clocks chips, and of those that do, not all have NVM, (and among THEM the interfaces may be different) and virus writers want to make sure everyone can share in the fun. They will therefore not take advantage of it even if it is present. About the only thing it would make sense for a virus to keep in NVM is a reboot counter, if there is some sort of delayed-action fun-and-games planned. (But such a counter could be kept on the disk, too.) ------------------------ It is not correct to say that a "CLock virus" is impossible. It can be said, however, that virtually anything that a virus writer could do with it can be done better, easier, and smaller (!) without it. It can therefore be said that no-one will write a "Clock virus". GOATS? HAWGS? DOGS? "I am not an animal, I am a free man!" Steven C. Den Beste, BBN Communications Corp., Cambridge MA denbeste@bbn.com(ARPA/CSNET/UUCP) harvard!bbn.com!denbeste(UUCP)
urjlew@ecsvax.UUCP (Rostyk Lewyckyj) (02/27/89)
In article <36423@bbn.COM>, denbeste@bbn.com (Steven Den Beste) writes
a lengthy explanation of why there can be no such thing as a virus
that hides in the NVM of a computer clock. But perhaps some of the
people using this term were thinking of a whatever virus whose effect
was to clobber the registers in the clock, or code used to access
the clock, as the mischief that they do. Rather than displaying a
cute message or erasing the disks. Fortunately so far all of these
suspicious cases have resolved themselves into inadvertant clobbering
of the clock registers by buggy applications problems, harware glitches,
or buggy clock maintenance programs.
But who knows, tomorrow we may find that indeed some wierdo has released
just such a clock eating virus. Why?? Why indeed.