hull@hao.ucar.edu (Howard Hull) (01/06/88)
> I've got a question at this point. Can't one thwart the virus >in the following manner? > > 1) Never NEVER boot from anything but an uninfected disk that >has its write-switch on the "can't-write-to-this-disk" position. While this would thwart the so-far-observed forms of the Amiga's boot block virus, it would not stop other forms of worms, bombs, trojan horses or retro-viruses. Obviously, to reproduce, the virus must write to someplace. Unfortunately, there are plenty of places to which a generalized reproduction program may write. How about RAM, for instance? Do you know of any computers that do not have RAM? Isn't RAM practically part of the definition of a computer?!!! Once the program has written the appropriate stuff to RAM, it can usually get any number of system routines to help install the stuff in a more durable place - like on the tail end of a binary file (with an appropriately modified checksum, for instance). A retrovirus might be a virus that is assembled from scattered words located in several system routines, perhaps nothing more than a file of pointers to copyable words (words that may be profitably interpreted as instructions or instruction operands if they are delivered to the IR or MAR). A retrovirus writer could choose words that have a low probability of being changed to something harmless by re-compiling a system routine. If he gets help from the ADA operating routines, he could call them Government AIDS. This can be done for ANY KNOWN personal computer. Buggar an ST - Whack a Mac - gnome a PC clone in clature. Of course, the good gnus is that such things are variously detectable. And that's the problem: variously. Somebody has to do some work to muster a counter-attack, and that's the bad gnus. > > 2) When one gets a new non-commercial disk, *always* use >INSTALL to overwrite anything in the boot-block, thereby killing off >the virus. And thereby killing off the commercial developer's specialized boot block, too, eh? Go ahead. Cut the gonads off your $300 plus word processing package just to get at some fool's trojan gimick. And, what if some wise guy sneaks a boogered version of INSTALL onto a bootable PD disk. How long will it take before anyone finds out that their attempt to cure the virus is installing delayed shorts in all sets of their electric underwear? > >I may be missing something here...I am not sure. I haven't personally Yeah, I think you are missing something here. You are missing the fact that in order to protect yourself from viruses you have to have a machine with no writeable words - a sort of hard programmed controller, maybe? >been infected YET, but then again I've only had my Amiga for a week now! So set ALL the write protect tabs on ALL your disks to READ ONLY. A week after that, submit another article to the net telling everyone what amazing things you can do with your computer, and why you're really glad you got one with so many features... I'm not trying to be a smart ass, but [I'm sorry, it's such a natural for me, though :-) ] gosh. And after you have developed a virus detector (an unusual activity detector, really) try this one: "A man skilled in technical electronics decides to rob a bank. He decides that the best method is a delayed trojan horse system. He knows that the bank monitors it's software meticulously for such things, and does have an unusal activity detector that monitors address space accesses and space-time signatures. However, he also knows that the system only functions during regular business hours, and that part of the time each day is devoted to running diagnostics. So the first thing he does is that he gets a job with the company that maintains the banks computer disk drives. He gets hold of a disk controller card. He decodes the disk controller's ROM, and determines where the inactive words in the ROM are, and where the ROM checksum is stored, or how it is calculated. He then writes a program that at some future date (Like December 31, 1993) during non-diagnostic times either exports a program onto the computer's DMA bus (where it will not be spotted by the op sys's scheduler), and/or he accesses certain of the system's peripherals directly to use the computer's DATA NETWORK facilities to call HIM up at a pre-arranged phone number and ask for instructions concerning a particular funds transfer. He installs the program in a set of ROMs (with his homemade burner) and pops the ROMs into a disk controller that he knows will eventually be swapped into the bank's disk drives some time after he leaves the company. He then waits for his 1993/4 New Year holiday... When the bank opens on January 2 1994, he transfers his money to Switzerland (appropriate, eh?) and scrams to Europe." Ok, if I can think this one up in 15 minutes just sitting here, think of what somebody with some brains can do. The only solution is to make sure everyone is gainfully employed at suitably rewarding but less risky work... Now Then, ::Pirated from Bryce Nesbitt:: "Your theory is crazy... but not crazy enought to be true." -Niels Bohr > -Chris Howie the Horrid hull@hao.ucar.edu