zf@osupyr.mast.ohio-state.edu (Zbigniew Fiedorowicz) (01/28/89)
Here is a proposal for detecting/repairing applications damaged by virus
infections. It seems to me that all current Macintosh viruses (and any
conceivable future Mac virus) designed to infect a broad range of
applications do their dirty work by
(a) adding new viral code segment(s) to the application (or perhaps
concatenating them with into existing segments).
(b) changing the first entry (program entry point) in the jump table
to point to the added viral code.
Unless the virus was targetted against a specific application, it could not
reliably mess with the existing application code or modify the other jump
table entries without a high risk of crashing the application on the first
go.
In view of this, the following seems to be a reasonable way of dealing with
such viral effects:
(1) Collect a database of program entry points & code segment numbers
and sizes for all major Macintosh applications (and for each
version).
(2) Archive this database at major archive sites & commercial informa-
tion services (eg. sumex, Compuserve, ...). This would enable
sophisticated Mac users to fix an infected application by restoring
the correct entry point & removing the added viral code segments
using Resedit. (Actually restoring the entry point suffices to disable
the virus.) Also make provisions for regularly updating this database.
(3) Write an application which would use this database to detect infected
applications and automatically repair them.
Present virus detection/repair programs (eg. KillScores, AntiPan, ...) are
based on intimate knowledge of the code segment numbering algorithm of a
particular virus and where it squirrels away the original entry point for a
given application. This makes them useless against new viruses or even
trivial modifications of old viruses.
I of course realize that the above proposal does not deal with all viral
effects (eg. inits, modifications to the system file, etc.), but I believe
it would still be a very useful addition to the antivirus arsenal.
Perhaps there are some difficulties in this scheme which I have overlooked.
If so I would like to hear from you. Otherwise I call for a discussion on how
to set this up. I for one am willing to volunteer my services with
points (1) and (2) of the program.
Of course it would be nice if Apple took charge of such a project.
Zbigniew Fiedorowicz
zf@osupyr.mast.ohio-state.edug-verbru@rocky.cs.wisc.edu. (Rob Verbrugghe) (01/29/89)
In article <1206@osupyr.mast.ohio-state.edu> zf@osupyr.mast.ohio-state.edu.UUCP (Zbigniew Fiedorowicz) writes: > >Here is a proposal for detecting/repairing applications damaged by virus ... > In view of this, the following seems to be a reasonable way of dealing with > such viral effects: > (1) Collect a database of program entry points & code segment numbers > and sizes for all major Macintosh applications (and for each version). > (2) Archive this database at major archive sites & commercial informa- > tion services (eg. sumex, Compuserve, ...). This would enable > sophisticated Mac users to fix an infected application by restoring > the correct entry point & removing the added viral code segments > using Resedit. (Actually restoring the entry point suffices to disable > the virus.) Also make provisions for regularly updating this database. > (3) Write an application which would use this database to detect infected > applications and automatically repair them. > > I of course realize that the above proposal does not deal with all viral > effects (eg. inits, modifications to the system file, etc.), but I believe > it would still be a very useful addition to the antivirus arsenal. ... > Of course it would be nice if Apple took charge of such a project. > > Zbigniew Fiedorowicz > zf@osupyr.mast.ohio-state.edu This may be a good idea, but it appears to be rather laborious. I'm lazy... It seems to me that there should be an easier way to deal with viruses. A virus has two characteristics: 1) It propagates silently. If a virus had no way of infecting an application it would stay on the disks of the Evil Computer Science Student and simply not bother anyone else. If it was obvious that it was propagating, people could catch it early and minimize the damage. 2) It intentionally, or unintentionally damages the system that it has infected. It is impossible to do anything about #2, so all attention is focused on #1. Most anti-viral remedies help us to detect propagation. This is a good thing. Some anti-viral remedies stop the propagation of the virus. (For example by placing dummy nVir resources into applications so that the virus thinks that the application has already been infected, and passes it over.) This is a better thing, but it depends on intimate knowledge of that one virus. Thus it is useless against new viruses. Detection is therefore the more robust remedy. Most viral notification schemes act to notify the user if something 'unusual' happens. Either the user becomes annoyed because the vaccine routines allow NOTHING to happen (even if it should), or there are "holes" in the protection that our Very Clever Evil Computer Science Student exploits... and we have another raging infection. Why? Well the vaccine is broad spectrum to protect ALL applications, inits, ... this leaves 'chinks' in its armor. So what if we come up with viral protection that is very narrow in scope? It is clearly hopeless to target one specific strain of a virus. The Very Clever Evil Computer Science Student would simply make a change to the virus, defeating the vaccine. Well, what if we had a vaccine that only protected one application? There are more applications than there are viruses. We would need a lot of programmers that understood each application. We would need to put each vaccine into each application. Who would do it? Lets get the people who write the applications put anti-viral code into them! Since each application (even each version) would have a different means of viral protection a broad spectrum virus would not be able to successfully infect them. The Evil Computer Science Student would have the tables turned on him. He would have to write a virus that could only defeat the anti-viral protection of one (or three or four) version of a very few programs. This would be VERY tough. (And how many times do two copies of Excel get next to each other?) The anti-viral components of each program could either attempt to be self repairing, or the program could change its type from APPL and immediately die (well, after warning the user). Either way the virus would not be able to spread (as easily). Viral immune programs would probably sell well. (The corporate world would eat them up.) Viral spread would be reduced. (But not stopped.) And public domain programs would become safer. (It would be wiser to target viruses at the big popular commercial programs.) ---------- Well it sounds good, which probably means that I'm forgetting something important. Mind you I'm not suggesting that we eliminate things like CE Vaccine, simply that programmers take it apon themselves to add some code that makes their programs less likely to carry viruses. Of course this might prompt those virus writers to come up with something REALLY NASTY to meet the challenge. I hope not... Just thought I'd air some thoughts. Rob Verbrugghe g-verbru@cs.wisc.edu {...}!uwvax!rocky!g-verbru