nick@lfcs.ed.ac.uk (Nick Rothwell) (03/09/89)
I'd like to air some general comments and concerns about Mac viruses, based on the way that existing viruses (SCORES, nVIR, ...) work, and more importantly, how they *don't* work. I hope that such discussion doesn't incite anybody to build one as a result of these discussions; but I don't know how I would do this, and it may not be possible, and I belive that there are enough saints on the Net to make this posting worthwhile. Any villain who understands these ideas would have had them anyway. I'm basing this on my knowledge of the Mac - I've had one for about 9 months, I have Lightspeed C, vols I and II of Inside Mac, and USEnet access, of course. I don't know a great deal about the OS apart from what I've needed to write simple Mac applications. Earlier this week, we were hit by nVIR strain B. I spotted it on a public machine, using Jeff Shulman's VirusDetective. It took me a couple of hours to isolate it and rebuild the system, and the rest of the day to pick up more recent virus tools, configure them, and check other volumes and machines. Finding this virus was simplicity itself - nVIR resources in applications and systems. As far as I know, all other Mac viruses use dedicated resource types. I removed it by doing a complete rebuild, but could probably have rendered it safe in existing applications, if this was necessary. I now believe I have the Macs safe from all viruses using this kind of technology. So, how long before the next level of technology? nVIR and so on seem pretty simple, even to a novice Mac programmer like myself. Patch a few resource manager calls, write a few special resources, patch the entry code of a few applications, and that's it. The resource manager provides all the necessary tools on a plate. So, I think we're at a stage where Mac viruses are easy to write and easy to defeat. Presumably, the next stage is viruses which work in the same way, but make themselves invisible to detection. If a virus can patch the toolbox calls which search for resources, then they become invisible. If a virus can detect patches on PutResource and so on, and find the original entry points, then it can propagate under the nose of resource watchers like Vaccine. I don't know how well the Mac is documented when you delve below the Resource Manager level. Could a virus propagate itself by interpreting the resource forks of files by itself? Could I create an INIT 32 in a system file by myself? Is it possible to write a Mac virus which works in the same way as the horrible low-level ones found on (Acht! Ptui!) PCs? I don't know how Macs boot from system volumes - I just assume it's magic. But, presumably the boot operation is open to attack, even if parts of the boot are directed from the Toolbox ROM. At this level, we would be talking about absolute disk addresses, absolute RAM locations, and so on, way below the safety of the OS. One property of abstraction is that the underlying representation can be quite volatile; because of the abstraction of the Memory Manager, perhaps attempts by viruses to use absolute RAM addresses would be doomed to failure as things come along and trample over them. What about the system patches found in the data forks of system files? Does anybody outside Apple know the format of these? Would it be easy to interpret and alter the data fork, bypassing the resource mechanisms altogether? These are all pretty simple questions, and have probably been thought of before, by cowboys with both black hats and white. Perhaps the nature of the Mac OS means that there's nothing reliable below the OS, so you can't build a virus there (you can't set fire to a ship if you're treading water...). Anybody have any comments? Words of reassurance? Nick. -- Nick Rothwell, Laboratory for Foundations of Computer Science, Edinburgh. nick@lfcs.ed.ac.uk <Atlantic Ocean>!mcvax!ukc!lfcs!nick ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ...while the builders of the cages sleep with bullets, bars and stone, they do not see your road to freedom that you build with flesh and bone.
trebor@biar.UUCP (Robert J Woodhead) (03/11/89)
In article <1551@etive.ed.ac.uk> nick@lfcs.ed.ac.uk (Nick Rothwell) writes: > Is it possible to write a Mac virus which works in the same way as >the horrible low-level ones found on (Acht! Ptui!) PCs? I don't know >how Macs boot from system volumes - I just assume it's magic. But, >presumably the boot operation is open to attack, even if parts of the >boot are directed from the Toolbox ROM. At this level, we would be >talking about absolute disk addresses, absolute RAM locations, and so on, >way below the safety of the OS. One property of abstraction is that the >underlying representation can be quite volatile; because of the >abstraction of the Memory Manager, perhaps attempts by viruses to use >absolute RAM addresses would be doomed to failure as things come along >and trample over them. Anything is possible. However, this note of reassurance. A virus cannot become active until it's code is executed (during boot, INIT load, or application launch). Until that happens, it's bits on a disk. So lets say the latest nefarious "below the trap level" virus has infected your hard disk. Quick as a flash, you power down your Mac, pull out your locked floppy disk containing your favorite virus scan program (one that scans the files looking for nefarious code), insert it and boot your Mac. The system and finder on the floppy load; the virus code never executes. You now run the scanning program which finds the viruses and removes them. You are cured. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *
dent@unocss.UUCP (Dave Caplinger) (03/12/89)
From article <1551@etive.ed.ac.uk>, by nick@lfcs.ed.ac.uk (Nick Rothwell): > ... > Earlier this week, we were hit by nVIR strain B. I spotted it on > ... How do you tell the difference between the various strains of nVIR? About two weeks ago, we were hit with nVIR, and I took care of it by using AntiPan and KillVirusINIT (which I downloaded from simtel20..). Now it's pretty much gone, but I'm curious. Without the aid of a disassembler, etc, (although i have RedEdit, which is how I was sure it was nVIR), how can one tell the difference betwee the various nVIR strains (and more importantly) what are their functional differences? (Some beep, some "Don't Panic" via MacinTalk, etc..) -/ Dave Caplinger /------------------+----------------------------------- Microcomputer Specialist | Internet: unocc07@zeus.unl.edu "Computing and Data Communications" | UUCP: uunet!btni!unocss!dent University of Nebraska at Omaha | Bitnet: UNOCC07@UNOMA1 Omaha, NE 68182 | or dc3a+@andrew.cmu.edu
trebor@biar.UUCP (Robert J Woodhead) (03/15/89)
In article <709@unocss.UUCP> dent@unocss.UUCP (Dave Caplinger) writes: >How do you tell the difference between the various strains of nVIR? The two strains of nVIR differ in the size of the CODE 256 resource. From memory, one is 372 bytes long, the other 442. Within each strain are a number of varieties with minor differences. >what are their functional differences? (Some beep, some "Don't Panic" via In general, not much at all. No known nVIR virus is malevolent. Most do nothing. Some attempt to speak or make sounds. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *
ts@cup.portal.com (Tim W Smith) (03/15/89)
Booting from a locked floppy and running a virus killer is not enough. What you need to do first is boot from a locked floppy containing your SCSI installer, while holding down command-option-shift-delete ( assuming an SE or a II ), and then use your SCSI installer to replace the SCSI driver on your hard disk. THEN boot your virus killer... Tim Smith ps: oh, and don't forget to unplug any SCSI ethernet adaptors too...
alexis@ccnysci.UUCP (Alexis Rosen) (03/18/89)
In article <380@biar.UUCP> trebor@biar.UUCP (Robert J Woodhead) writes: > >In general, not much at all. No known nVIR virus is malevolent. Most >do nothing. Some attempt to speak or make sounds. Well. Fortunately, that appears to be true now. However, the original nVIR *WAS* malevolent, deleting files once out of every sixteen times. Whatever people say about Mattias Urlichs' common sense, we probably have him to thank that that strain is now, apparently, extinct. This is from memory... More details can probably be found in various archives where the original articles describing nVIR are. Alexis Rosen alexis@ccnysci.uucp