apratt@atari.UUCP (Allan Pratt) (05/10/88)
I have posted this to comp.risks, and I'll post it here. "PGN" is the moderator of comp.risks: Peter G. Neumann @ rl.sri.com. A perfect hiding place for viruses on the Atari ST has come to my attention. The reason it's interesting is it is a place where a VERY LARGE virus can live -- much larger than just the boot sector of a floppy. The hole exists because the ST formats floppies with five-sector FATs (File Allocation Tables) even though at most three sectors will be used. Since there are two FATs per disk, this leaves four sectors for the virus. A boot-sector virus could be five sectors in length without impacting the user-visible free space on the disk. The sectors in question are logical sectors 4, 5, 9, and 10 (where the boot sector is sector 0). These sectors are always zeroed by the built-in formatter (I can't speak for others). The rationale, I believe, for the five-sector FATs is so the root directory of the volume will appear on Side 1 of a double-sided disk, so a single-sided drive will not be fooled into thinking it can work with the disk. I asked PGN about posting this -- about the tradeoff between warning the friendlies and informing the hostiles about this hiding place. As PGN pointed out, "... the underground will find out anyway. The crackers are networked better than everyone else." So here is my posting. The cure for an infected disk is to make the boot sector non-bootable, and zero the four sectors listed above. ============================================ Opinions expressed above do not necessarily -- Allan Pratt, Atari Corp. reflect those of Atari Corp. or anyone else. ...ames!atari!apratt [P.S. I don't know of any viruses which use this hiding place. I only know it's there, and we should all be careful.]
woodside@ttidca.TTI.COM (George Woodside) (05/12/88)
In article <1062@atari.UUCP> apratt@atari.UUCP (Allan Pratt) writes: [...edited...] >A perfect hiding place for viruses on the Atari ST has come to my >attention. The reason it's interesting is it is a place where a VERY >LARGE virus can live -- much larger than just the boot sector of a >floppy. > >The hole exists because the ST formats floppies with five-sector FATs >(File Allocation Tables) even though at most three sectors will be used. >Since there are two FATs per disk, this leaves four sectors for the >virus. A boot-sector virus could be five sectors in length without >impacting the user-visible free space on the disk. > >The sectors in question are logical sectors 4, 5, 9, and 10 (where the >boot sector is sector 0). These sectors are always zeroed by the >built-in formatter (I can't speak for others). Since I'm the person (or at least one of them) responsible for bringing this to Allan's attention, let me expand on it a bit, and hopefully head off a potentially false solution. I've been spending a fair amount of time examining suspected virus disks sent to me. I will continue to do so. If you suspect a disk of bearing a virus, send it to me, and I'll check it out. If there is a virus on it, I'll add a kill for it to the next generation virus killer. >[P.S. I don't know of any viruses which use this hiding place. I only >know it's there, and we should all be careful.] I do! One of the virus disks I have contains logic which loads an additional sector from the disk, one of the FAT sectors Allan mentioned. Note, however, that it determines which sector to load by examining the disk configuration data in the boot sector. It checks the FAT size, and the number of reserved sectors, then determines the last sector in the first copy of the FAT. It loads that sector, and attempts to execute code it expects to find there. So, anyone thinking that writing a formatter which allocates only three sector FATs, don't bother. You will not only fail to stop the spread of the virus, you'll also get any files on the tail end of the disk wiped out. My next generation of virus killer will check and zero (after requesting permission) the unused FAT sectors. As Allan states, that's the safest way to deal with the problem. Meanwhile, if you suspect a virus, send the suspect disk to: George R. Woodside 5219 San Feliciano Drive Woodland Hills, Ca. 91364 (USA) Thank you. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside